Bump ministryofjustice/github-actions from 15.3.0 to 15.4.1

[dependabot]

Bumps ministryofjustice/github-actions from 15.3.0 to 15.4.1.

Release notes

Sourced from ministryofjustice/github-actions's releases.

v15.4.1

What's Changed

• Revert skipdir change by @​markgov in ministryofjustice/github-actions#244

Full Changelog: ministryofjustice/github-actions@15.4.0...v15.4.1

15.4.0

⚠️ BREAKING CHANGES ⚠️

You may see multiple targets cannot be specified error when using this release version on the terraform-static-analysis action. If you do, please upgrade to v15.4.1 for the fix.

What's Changed

• adding in the input for trivy exclude by @​markgov in ministryofjustice/github-actions#232
• trivy new functionality by @​markgov in ministryofjustice/github-actions#233
• Update entrypoint.sh by @​ep-93 in ministryofjustice/github-actions#241

New Contributors

• @​markgov made their first contribution in ministryofjustice/github-actions#232

Full Changelog: ministryofjustice/github-actions@v15.3.0...15.4.0

Commits

• 1b6396c Merge pull request #244 from ministryofjustice/revert/trivy-skip-dirs-feature
• 93d18be Revert skipdir change
• e7d9a2a Merge pull request #241 from ministryofjustice/feature/trivy-exclude-dir
• 6bd6f63 Update action.yml
• 4b28d5b Update entrypoint.sh
• 7f9f83f Merge pull request #233 from ministryofjustice/feat/trivy-exclude-update
• dc74c64 change in scanners line
• 5984304 trivy new funtionality
• 565a729 Merge pull request #232 from ministryofjustice/feat/trivy-exclude-update
• 49f28b8 adding in the input for trivy eclude
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

---

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Results #1-2 HIGH IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:aws:logs:::*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0/main.tf:42
via lambda.tf:68-106 (module.lambda_cw_logs_xml_to_json)
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_iam_policy" "policy_from_json" {
40 count = var.create_role && var.policy_json_attached ? 1 : 0
41 name = coalesce(var.policy_name, var.role_name, var.function_name)
42 [ policy = var.policy_json
43 tags = var.tags
44 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0/main.tf:68-106 (module.lambda_cw_logs_xml_to_json) 2 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.995779ms
parsing 1.015697826s
adaptation 1.206865ms
checks 3.844207ms
total 1.022744677s

counts
──────────────────────────────────────────
modules downloaded 2
modules processed 7
blocks processed 387
files read 84

results
──────────────────────────────────────────
passed 10
ignored 3
critical 0
high 2
medium 0
low 0

10 passed, 3 ignored, 2 potential problem(s) detected.

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:184
via main.tf:33-139 (module.baseline)
────────────────────────────────────────────────────────────────────────────────
181 resource "aws_s3_bucket_versioning" "default" {
182 bucket = aws_s3_bucket.default.id
183 versioning_configuration {
184 [ status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
185 }
186 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.537592ms
parsing 1.189164937s
adaptation 474.047µs
checks 3.17266ms
total 1.194349236s

counts
──────────────────────────────────────────
modules downloaded 1
modules processed 7
blocks processed 351
files read 82

results
──────────────────────────────────────────
passed 9
ignored 4
critical 0
high 0
medium 1
low 0

9 passed, 4 ignored, 1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
2024-02-16 00:19:42,902 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function:None (for external modules, the --download-external-modules flag is required)
2024-02-16 00:19:42,902 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 142, Failed checks: 2, Skipped checks: 26

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ad-clean-up-lambda
	File: /lambda.tf:8-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		8  | module "ad-clean-up-lambda" {
		9  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1
		10 | 
		11 |   application_name = local.lambda_ad_object_cleanup.function_name
		12 |   function_name    = local.lambda_ad_object_cleanup.function_name
		13 |   description      = "Lambda to remove corresponding computer object from Active Directory upon server termination"
		14 |   package_type     = "Zip"
		15 |   filename         = data.archive_file.ad-cleanup-lambda.output_path
		16 |   source_code_hash = data.archive_file.ad-cleanup-lambda.output_base64sha256
		17 |   handler          = "lambda_function.lambda_handler"
		18 |   runtime          = "python3.8"
		19 | 
		20 |   create_role = false
		21 |   lambda_role = aws_iam_role.lambda-ad-role.arn
		22 | 
		23 |   vpc_subnet_ids         = tolist(data.aws_subnets.shared-private.ids)
		24 |   vpc_security_group_ids = [module.baseline.security_groups["domain"].id]
		25 | 
		26 |   tags = merge(
		27 |     local.tags,
		28 |     {
		29 |       Name = "ad-object-clean-up-lambda"
		30 |     },
		31 |   )
		32 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lambda_cw_logs_xml_to_json
	File: /lambda.tf:68-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		68  | module "lambda_cw_logs_xml_to_json" {
		69  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0"
		70  | 
		71  |   application_name = local.lambda_cw_logs_xml_to_json.function_name
		72  |   function_name    = local.lambda_cw_logs_xml_to_json.function_name
		73  |   role_name        = local.lambda_cw_logs_xml_to_json.function_name
		74  | 
		75  |   package_type     = "Zip"
		76  |   filename         = "${path.module}/lambda/cw-xml-to-json/deployment_package.zip"
		77  |   source_code_hash = filebase64sha256("${path.module}/lambda/cw-xml-to-json/deployment_package.zip")
		78  |   runtime          = "python3.12"
		79  |   handler          = "lambda_function.lambda_handler"
		80  | 
		81  |   policy_json_attached = true
		82  |   policy_json = jsonencode({
		83  |     Version = "2012-10-17",
		84  |     Statement = [
		85  |       {
		86  |         Action = [
		87  |           "logs:CreateLogGroup",
		88  |           "logs:CreateLogStream",
		89  |           "logs:PutLogEvents",
		90  |           "logs:DescribeLogStreams"
		91  |         ],
		92  |         Effect   = "Allow",
		93  |         Resource = "arn:aws:logs:*:*:*"
		94  |       },
		95  |     ]
		96  |   })
		97  | 
		98  |   allowed_triggers = {
		99  |     AllowExecutionFromCloudWatch = {
		100 |       principal  = "logs.amazonaws.com"
		101 |       source_arn = "${module.baseline.cloudwatch_log_groups[local.lambda_cw_logs_xml_to_json.monitored_log_group].arn}:*"
		102 |     }
		103 |   }
		104 | 
		105 |   tags = {}
		106 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 123, Failed checks: 0, Skipped checks: 26


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" is not pinned (terraform_module_pinned_source)

  on terraform/environments/corporate-staff-rostering/lambda.tf line 9:
   9:   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/corporate-staff-rostering/lambda.tf line 34:
  34: data "archive_file" "ad-cleanup-lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan

Show Output

[ASTRobinson]

@dependabot rebase

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'ac7238b4-0e8d-4f22-9bbe-52fb1af52dfb/'
────────────────────────────────────────────────────────────────────────────────
data_store.tf:164
────────────────────────────────────────────────────────────────────────────────
148 data "aws_iam_policy_document" "calculate_checksum_lambda" {
...
164 [ resources = ["${aws_s3_bucket.data_store.arn}/"]
...
166 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:20-28
────────────────────────────────────────────────────────────────────────────────
20 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
21 bucket = aws_s3_bucket.data_store.id
22
23 rule {
24 apply_server_side_encryption_by_default {
25 sse_algorithm = "AES256"
26 }
27 }
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'ac7238b4-0e8d-4f22-9bbe-52fb1af52dfb/'
────────────────────────────────────────────────────────────────────────────────
data_store.tf:216
────────────────────────────────────────────────────────────────────────────────
207 data "aws_iam_policy_document" "summarise_zip_lambda" {
...
216 [ resources = ["${aws_s3_bucket.data_store.arn}/"]
...
218 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #4-15 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '52600484-8389-4c46-9f95-6c781320f7db/' (12 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/landing_zone_user/main.tf:57
via modules/landing_zone/main.tf:352-362 (module.landing_zone_users["0"])
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
46 data "aws_iam_policy_document" "this_transfer_user" {
..
57 [ resources = ["${var.landing_bucket.arn}/"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/landing_zone_user/main.tf:1-25 (module.capita) 12 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #16-18 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource '52600484-8389-4c46-9f95-6c781320f7db/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:294
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
294 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #19-21 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'ac7238b4-0e8d-4f22-9bbe-52fb1af52dfb/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:303
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
303 [ resources = ["${var.data_store_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #22-27 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource 'ac7238b4-0e8d-4f22-9bbe-52fb1af52dfb/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:323-326
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
323 ┌ resources = [
324 │ "${var.data_store_bucket.arn}/",
325 │ "${aws_s3_bucket.landing_bucket.arn}/*",
326 └ ]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #28-30 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource '52600484-8389-4c46-9f95-6c781320f7db/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:336
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
336 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #31-33 HIGH Bucket does not encrypt data with a customer managed key. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:37-45
via main.tf:51-82 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:51-82 (module.g4s)
• modules/landing_zone/main.tf:27-49 (module.civica)
• modules/landing_zone/main.tf:1-25 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #34-37 HIGH Bucket does not encrypt data with a customer managed key. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:17-25
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
17 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
18 bucket = aws_s3_bucket.this.id
19
20 rule {
21 apply_server_side_encryption_by_default {
22 sse_algorithm = "AES256"
23 }
24 }
25 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-25 (module.capita) 3 instances
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #38-40 MEDIUM Bucket does not have versioning enabled (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:84
via main.tf:27-49 (module.civica)
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:27-49 (module.civica)
• modules/landing_zone/main.tf:1-25 (module.capita)
• modules/landing_zone/main.tf:51-82 (module.g4s)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Results #41-44 MEDIUM Bucket does not have logging enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-25 (module.capita)
• modules/s3_log_bucket/main.tf:27-49 (module.civica)
• modules/s3_log_bucket/main.tf:51-82 (module.g4s)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-bucket-logging
  Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #45 LOW Function does not have tracing enabled.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:126-140
────────────────────────────────────────────────────────────────────────────────
126 ┌ resource "aws_lambda_function" "calculate_checksum_lambda" {
127 │ filename = "calculate_checksum_lambda.zip"
128 │ function_name = "calculate-checksum-lambda"
129 │ role = aws_iam_role.calculate_checksum_lambda.arn
130 │ handler = "calculate_checksum_lambda.handler"
131 │ runtime = "python3.12"
132 │ memory_size = 1024
133 │ timeout = 900
134 └
...
────────────────────────────────────────────────────────────────────────────────
ID aws-lambda-enable-tracing
Impact Without full tracing enabled it is difficult to trace the flow of logs
Resolution Enable tracing

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/lambda/enable-tracing/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode
  ────────────────────────────────────────────────────────────────────────────────

Result #46 LOW Function does not have tracing enabled.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:192-199
────────────────────────────────────────────────────────────────────────────────
192 resource "aws_lambda_function" "summarise_zip_lambda" {
193 filename = "summarise_zip_lambda.zip"
194 function_name = "summarise-zip-lambda"
195 role = aws_iam_role.summarise_zip_lambda.arn
196 handler = "summarise_zip_lambda.handler"
197 runtime = "python3.12"
198 timeout = 600
199 }
────────────────────────────────────────────────────────────────────────────────
ID aws-lambda-enable-tracing
Impact Without full tracing enabled it is difficult to trace the flow of logs
Resolution Enable tracing

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/lambda/enable-tracing/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.350211ms
parsing 121.511974ms
adaptation 15.048706ms
checks 11.493455ms
total 149.404346ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 32
blocks processed 437
files read 90

results
──────────────────────────────────────────
passed 167
ignored 0
critical 0
high 37
medium 7
low 2

167 passed, 46 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 504, Failed checks: 50, Skipped checks: 0

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.civica.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 115:
 115: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 179:
 179:   source_arn    = "${aws_s3_bucket.data_store.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 186:
 186: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 231:
 231:   source_arn    = "${aws_s3_bucket.data_store.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan

Show Output

[ASTRobinson]

LGTM - TSA checks failing due to application environment work in progress not related to this bump.