GitHub Actions Code Formatter workflow #4829

github-actions · 2024-02-05T04:51:15Z

This pull request includes updates from the GitHub Actions Code Formatter workflow. Please review the changes and merge if everything looks good.

github-actions · 2024-02-05T15:55:32Z

`TFSEC Scan` Failed

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/dacp

Running TFSEC in terraform/environments/dacp
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:223
────────────────────────────────────────────────────────────────────────────────
207 resource "aws_security_group" "ecs_service" {
...
223 [ cidr_blocks = ["0.0.0.0/0"]
...
225 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────

Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:27-45
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "dacp_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "179.50.12.212/32",
29 │ "92.177.120.49/32",
30 │ "194.33.196.0/25",
31 │ "194.33.192.0/25",
32 │ "52.67.148.55/32",
33 └ "89.32.121.144/32",
..
────────────────────────────────────────────────────────────────────────────────
Individual Causes

load_balancer.tf:1-63 (aws_security_group.dacp_lb_sc) 5 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────

Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:53
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "dacp_lb_sc" {
.
53 [ cidr_blocks = ["0.0.0.0/0"]
..
63 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────

Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:61
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "dacp_lb_sc" {
.
61 [ cidr_blocks = ["0.0.0.0/0"]
..
63 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────

Result #9 CRITICAL Instance is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
rds.tf:12
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_db_instance" "dacp_db" {
.
12 [ publicly_accessible = true (true)
..
16 }
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-no-public-db-access
Impact The database instance is publicly accessible
Resolution Set the database to not be publicly accessible

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────

Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
rds.tf:57
────────────────────────────────────────────────────────────────────────────────
23 resource "aws_security_group" "postgresql_db_sc" {
..
57 [ cidr_blocks = ["0.0.0.0/0"]
..
60 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────

Results #11-12 HIGH IAM policy document uses wildcarded action 'ecr:' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
ecs.tf:144-148
────────────────────────────────────────────────────────────────────────────────
135 resource "aws_iam_role_policy" "app_execution" {
...
144 ┌ "Action": [
145 │ "ecr:",
146 │ "logs:*",
147 │ "secretsmanager:GetSecretValue"
148 └ ],
...
155 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

ecs.tf:135-155 (aws_iam_role_policy.app_execution) 2 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH IAM policy document uses sensitive action 'ecr:' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:149
────────────────────────────────────────────────────────────────────────────────
135 resource "aws_iam_role_policy" "app_execution" {
...
149 [ "Resource": "*",
...
155 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────

Results #14-17 HIGH IAM policy document uses wildcarded action 'logs:' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
ecs.tf:194-199
────────────────────────────────────────────────────────────────────────────────
184 resource "aws_iam_role_policy" "app_task" {
...
194 ┌ "Action": [
195 │ "logs:",
196 │ "ecr:",
197 │ "iam:",
198 │ "ec2:*"
199 └ ],
...
205 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

ecs.tf:184-205 (aws_iam_role_policy.app_task) 4 instances
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH IAM policy document uses sensitive action 'logs:' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
184 resource "aws_iam_role_policy" "app_task" {
...
200 [ "Resource": "*"
...
205 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH Image scanning is not enabled.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
227 resource "aws_ecr_repository" "dacp_ecr_repo" {
228 name = "dacp-ecr-repo"
229 force_delete = true
230 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecr-enable-image-scans
Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
Resolution Enable ECR image scanning

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH Repository tags are mutable.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
227 resource "aws_ecr_repository" "dacp_ecr_repo" {
228 name = "dacp-ecr-repo"
229 force_delete = true
230 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecr-enforce-immutable-repository
Impact Image tags could be overwritten with compromised images
Resolution Only use immutable images in ECR

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH Topic does not have encryption enabled.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:308-311
────────────────────────────────────────────────────────────────────────────────
308 resource "aws_sns_topic" "dacp_utilisation_alarm" {
309 count = local.is-development ? 0 : 1
310 name = "dacp_utilisation_alarm"
311 }
────────────────────────────────────────────────────────────────────────────────
ID aws-sns-enable-topic-encryption
Impact The SNS topic messages could be read if compromised
Resolution Turn on SNS Topic encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH Application load balancer is not set to drop invalid headers.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:119-127
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_lb" "dacp_lb" {
120 name = "dacp-load-balancer"
121 load_balancer_type = "application"
122 security_groups = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
123 subnets = data.aws_subnets.shared-public.ids
124 enable_deletion_protection = false
125 internal = false
126 depends_on = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-drop-invalid-headers
Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Resolution Set drop_invalid_header_fields to true

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH Load balancer is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:125
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_lb" "dacp_lb" {
120 name = "dacp-load-balancer"
121 load_balancer_type = "application"
122 security_groups = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
123 subnets = data.aws_subnets.shared-public.ids
124 enable_deletion_protection = false
125 [ internal = false (false)
126 depends_on = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-alb-not-public
Impact The load balancer is exposed on the internet
Resolution Switch to an internal load balancer or add a tfsec ignore

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH Instance does not have storage encryption enabled.
────────────────────────────────────────────────────────────────────────────────
rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_db_instance" "dacp_db" {
2 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
3 │ db_name = local.application_data.accounts[local.environment].db_name
4 │ storage_type = local.application_data.accounts[local.environment].storage_type
5 │ engine = local.application_data.accounts[local.environment].engine
6 │ identifier = local.application_data.accounts[local.environment].identifier
7 │ engine_version = local.application_data.accounts[local.environment].engine_version
8 │ instance_class = local.application_data.accounts[local.environment].instance_class
9 └ username = local.application_data.accounts[local.environment].db_username
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-encrypt-instance-storage-data
Impact Data can be read from RDS instances if compromised
Resolution Enable encryption for RDS instances

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH Instance has Public Access enabled
────────────────────────────────────────────────────────────────────────────────
rds.tf:12
────────────────────────────────────────────────────────────────────────────────
12 publicly_accessible = true
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0180
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #26 MEDIUM Instance has very low backup retention period.
────────────────────────────────────────────────────────────────────────────────
rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_db_instance" "dacp_db" {
2 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
3 │ db_name = local.application_data.accounts[local.environment].db_name
4 │ storage_type = local.application_data.accounts[local.environment].storage_type
5 │ engine = local.application_data.accounts[local.environment].engine
6 │ identifier = local.application_data.accounts[local.environment].identifier
7 │ engine_version = local.application_data.accounts[local.environment].engine_version
8 │ instance_class = local.application_data.accounts[local.environment].instance_class
9 └ username = local.application_data.accounts[local.environment].db_username
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-specify-backup-retention
Impact Potential loss of data and short opportunity for recovery
Resolution Explicitly set the retention period to greater than the default

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────

Result #27 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_db_instance" "dacp_db" {
2 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
3 │ db_name = local.application_data.accounts[local.environment].db_name
4 │ storage_type = local.application_data.accounts[local.environment].storage_type
5 │ engine = local.application_data.accounts[local.environment].engine
6 │ identifier = local.application_data.accounts[local.environment].identifier
7 │ engine_version = local.application_data.accounts[local.environment].engine_version
8 │ instance_class = local.application_data.accounts[local.environment].instance_class
9 └ username = local.application_data.accounts[local.environment].db_username
..
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0177
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #28 LOW Security group explicitly uses the default description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:207-225
────────────────────────────────────────────────────────────────────────────────
207 ┌ resource "aws_security_group" "ecs_service" {
208 │ name_prefix = "ecs-service-sg-"
209 │ vpc_id = data.aws_vpc.shared.id
210 │
211 │ ingress {
212 │ from_port = 80
213 │ to_port = 80
214 │ protocol = "tcp"
215 └ description = "Allow traffic on port 80 from load balancer"
...
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────

Result #29 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:219-224
────────────────────────────────────────────────────────────────────────────────
207 resource "aws_security_group" "ecs_service" {
...
219 ┌ egress {
220 │ from_port = 0
221 │ to_port = 0
222 │ protocol = "-1"
223 │ cidr_blocks = ["0.0.0.0/0"]
224 └ }
225 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────

Result #30 LOW Repository is not encrypted using KMS.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
227 resource "aws_ecr_repository" "dacp_ecr_repo" {
228 name = "dacp-ecr-repo"
229 force_delete = true
230 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecr-repository-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Use customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────

Result #31 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
9 resource "aws_cloudwatch_log_group" "deployment_logs" {
10 name = "/aws/events/deploymentLogs"
11 retention_in_days = "7"
12 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

Result #32 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:23-46
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "dacp_lb_sc" {
.
23 ┌ ingress {
24 │ from_port = 443
25 │ to_port = 443
26 │ protocol = "tcp"
27 │ cidr_blocks = [
28 │ "179.50.12.212/32",
29 └ "92.177.120.49/32",
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────

Result #33 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
load_balancer.tf:71-116
────────────────────────────────────────────────────────────────────────────────
65 resource "aws_security_group" "lb_sc_pingdom" {
66 name = "load balancer Pingdom security group"
67 description = "control Pingdom access to the load balancer"
68 vpc_id = data.aws_vpc.shared.id
69
70 // Allow all European Pingdom IP addresses
71 ┌ ingress {
72 │ from_port = 443
73 └ to_port = 443
..
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────

Result #34 LOW Instance does not have performance insights enabled.
────────────────────────────────────────────────────────────────────────────────
rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_db_instance" "dacp_db" {
2 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
3 │ db_name = local.application_data.accounts[local.environment].db_name
4 │ storage_type = local.application_data.accounts[local.environment].storage_type
5 │ engine = local.application_data.accounts[local.environment].engine
6 │ identifier = local.application_data.accounts[local.environment].identifier
7 │ engine_version = local.application_data.accounts[local.environment].engine_version
8 │ instance_class = local.application_data.accounts[local.environment].instance_class
9 └ username = local.application_data.accounts[local.environment].db_username
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-enable-performance-insights
Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
Resolution Enable performance insights

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────

Result #35 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
rds.tf:87-90
────────────────────────────────────────────────────────────────────────────────
87 resource "aws_cloudwatch_log_group" "rds_logs" {
88 name = "/aws/events/rdsLogs"
89 retention_in_days = "7"
90 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 526.332µs
parsing 1.438904363s
adaptation 1.621724ms
checks 27.774576ms
total 1.468826995s

counts
──────────────────────────────────────────
modules downloaded 2
modules processed 3
blocks processed 191
files read 25

results
──────────────────────────────────────────
passed 44
ignored 29
critical 10
high 15
medium 2
low 8

44 passed, 29 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/dacp

*****************************

Running Checkov in terraform/environments/dacp
2024-02-05 15:55:29,842 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2024-02-05 15:55:29,842 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 68, Failed checks: 42, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.dacp_task_definition
	File: /ecs.tf:14-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.dacp_ecs_service
	File: /ecs.tf:78-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-333

		78  | resource "aws_ecs_service" "dacp_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.dacp_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.dacp_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.dacp_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.dacp_target_group.arn
		99  |     container_name   = "dacp-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:207-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		207 | resource "aws_security_group" "ecs_service" {
		208 |   name_prefix = "ecs-service-sg-"
		209 |   vpc_id      = data.aws_vpc.shared.id
		210 | 
		211 |   ingress {
		212 |     from_port       = 80
		213 |     to_port         = 80
		214 |     protocol        = "tcp"
		215 |     description     = "Allow traffic on port 80 from load balancer"
		216 |     security_groups = [aws_security_group.dacp_lb_sc.id]
		217 |   }
		218 | 
		219 |   egress {
		220 |     from_port   = 0
		221 |     to_port     = 0
		222 |     protocol    = "-1"
		223 |     cidr_blocks = ["0.0.0.0/0"]
		224 |   }
		225 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.dacp_utilisation_alarm
	File: /ecs.tf:308-311
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		308 | resource "aws_sns_topic" "dacp_utilisation_alarm" {
		309 |   count = local.is-development ? 0 : 1
		310 |   name  = "dacp_utilisation_alarm"
		311 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:331-339
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		331 | module "pagerduty_core_alerts_non_prod" {
		332 |   count = local.is-preproduction ? 1 : 0
		333 |   depends_on = [
		334 |     aws_sns_topic.dacp_utilisation_alarm
		335 |   ]
		336 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		337 |   sns_topics                = [aws_sns_topic.dacp_utilisation_alarm[0].name]
		338 |   pagerduty_integration_key = local.pagerduty_integration_keys["dacp_non_prod_alarms"]
		339 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:342-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		342 | module "pagerduty_core_alerts_prod" {
		343 |   count = local.is-production ? 1 : 0
		344 |   depends_on = [
		345 |     aws_sns_topic.dacp_utilisation_alarm
		346 |   ]
		347 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		348 |   sns_topics                = [aws_sns_topic.dacp_utilisation_alarm[0].name]
		349 |   pagerduty_integration_key = local.pagerduty_integration_keys["dacp_prod_alarms"]
		350 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.dacp_lb_sc
	File: /load_balancer.tf:1-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:65-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		119 | resource "aws_lb" "dacp_lb" {
		120 |   name                       = "dacp-load-balancer"
		121 |   load_balancer_type         = "application"
		122 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		123 |   subnets                    = data.aws_subnets.shared-public.ids
		124 |   enable_deletion_protection = false
		125 |   internal                   = false
		126 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		127 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		119 | resource "aws_lb" "dacp_lb" {
		120 |   name                       = "dacp-load-balancer"
		121 |   load_balancer_type         = "application"
		122 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		123 |   subnets                    = data.aws_subnets.shared-public.ids
		124 |   enable_deletion_protection = false
		125 |   internal                   = false
		126 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		127 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:119-127
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		119 | resource "aws_lb" "dacp_lb" {
		120 |   name                       = "dacp-load-balancer"
		121 |   load_balancer_type         = "application"
		122 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		123 |   subnets                    = data.aws_subnets.shared-public.ids
		124 |   enable_deletion_protection = false
		125 |   internal                   = false
		126 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		127 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.dacp_target_group
	File: /load_balancer.tf:129-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		129 | resource "aws_lb_target_group" "dacp_target_group" {
		130 |   name                 = "dacp-target-group"
		131 |   port                 = 80
		132 |   protocol             = "HTTP"
		133 |   vpc_id               = data.aws_vpc.shared.id
		134 |   target_type          = "ip"
		135 |   deregistration_delay = 30
		136 | 
		137 |   stickiness {
		138 |     type = "lb_cookie"
		139 |   }
		140 | 
		141 |   health_check {
		142 |     healthy_threshold   = "3"
		143 |     interval            = "30"
		144 |     protocol            = "HTTP"
		145 |     port                = "80"
		146 |     unhealthy_threshold = "5"
		147 |     matcher             = "200-302"
		148 |     timeout             = "10"
		149 |   }
		150 | 
		151 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_logs
	File: /rds.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "rds_logs" {
		88 |   name              = "/aws/events/rdsLogs"
		89 |   retention_in_days = "7"
		90 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.dacp_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "dacp_web_acl" {
		2  |   name  = "dacp-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_Cookie_HEADER"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "dacp-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.dacp_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "dacp_web_acl" {
		2  |   name  = "dacp-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_Cookie_HEADER"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "dacp-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/dacp

*****************************

Running tflint in terraform/environments/dacp
Excluding the following checks: terraform_unused_declarations
12 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 39:
  39:           value = "${aws_db_instance.dacp_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 47:
  47:           value = "${aws_db_instance.dacp_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 51:
  51:           value = "${aws_db_instance.dacp_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 55:
  55:           value = "${aws_db_instance.dacp_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/dacp/rds.tf line 66:
  66: resource "null_resource" "setup_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 83:
  83:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/dacp/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/secrets.tf line 18:
  18:   secret_string = jsonencode({ "DACP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

`Trivy Scan`

Show Output

Updates from GitHub Actions Format Code workflow

0c5d2c2

github-actions bot added the code quality For PRs that improve, reformat, or refactor code label Feb 5, 2024

github-actions bot requested review from a team as code owners February 5, 2024 04:51

Merge branch 'main' into date_2024_02_05

bf97947

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Feb 5, 2024

ep-93 had a problem deploying to maat-development February 5, 2024 15:54 — with GitHub Actions Failure

ep-93 had a problem deploying to delius-core-test February 5, 2024 15:55 — with GitHub Actions Failure

ep-93 had a problem deploying to delius-core-development February 5, 2024 15:55 — with GitHub Actions Failure

davidkelliott closed this Feb 13, 2024

dms1981 deleted the date_2024_02_05 branch November 27, 2024 22:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Actions Code Formatter workflow #4829

GitHub Actions Code Formatter workflow #4829

github-actions bot commented Feb 5, 2024

github-actions bot commented Feb 5, 2024

You can read more here:
aquasecurity/tfsec#1994

GitHub Actions Code Formatter workflow #4829

GitHub Actions Code Formatter workflow #4829

Conversation

github-actions bot commented Feb 5, 2024

github-actions bot commented Feb 5, 2024

TFSEC Scan Failed

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Failed

Trivy Scan

`TFSEC Scan` Failed

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Failed

`Trivy Scan`