ELM-1433 refactor landing zone code into module

[pricemg]

Off the back of tfsec checks failing to pass based on a few missing permissions across the landing zone code for the three suppliers taken the opportunity to refactor the code into a module so all the fixes were only needed once.

To that end abstracted out everything required to spin up a landing zone for a supplier into a module that creates:

• an elastic ip
• an sftp server associated with that elastic ip
• user account for the supplier that can access the server
• associates ssh key and ip addresses with that user account
• generates a developer account to access the server
• can remove access for the supplier or developer from accessing the server via the endpoint

Also added in module for generating s3 logging buckets

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 7.740594ms
parsing 29.203634363s
adaptation 25.18951ms
checks 59.966544ms
total 29.296531011s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-31 10:18:52,068 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,068 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,068 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,068 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,068 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,069 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,070 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 10:18:52,071 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 8.11019ms
parsing 12.722449399s
adaptation 24.486087ms
checks 60.560328ms
total 12.815606004s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-31 11:23:15,911 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,911 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,912 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,913 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,914 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,914 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,914 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-31 11:23:15,914 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 8.050689ms
parsing 13.304686729s
adaptation 44.156083ms
checks 42.316598ms
total 13.399210099s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,989 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,990 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:21:13,991 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/data-platform-apps-and-tools/lambda-functions.tf line 38:
  38:         "${module.auth0_log_streams["alpha-analytics-moj"].cloudwatch_log_group_arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 8.223932ms
parsing 12.362355576s
adaptation 28.153201ms
checks 61.329789ms
total 12.460062498s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,044 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,045 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,046 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,046 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,046 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,046 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:23:39,046 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/data-platform-apps-and-tools/lambda-functions.tf line 38:
  38:         "${module.auth0_log_streams["alpha-analytics-moj"].cloudwatch_log_group_arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 7.812436ms
parsing 17.544702766s
adaptation 45.232692ms
checks 43.577937ms
total 17.641325831s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-31 12:44:56,647 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,648 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,648 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,648 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,648 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,648 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,649 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-31 12:44:56,650 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/data-platform-apps-and-tools/lambda-functions.tf line 38:
  38:         "${module.auth0_log_streams["alpha-analytics-moj"].cloudwatch_log_group_arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output