Add G4S account for cap data warehouse

[pricemg]

G4S want to start with cap_dw system so adding in their account.

[matt-heery]

lgtm

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

---

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Results #1-2 HIGH IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:aws:logs:::*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0/main.tf:42
via lambda.tf:68-106 (module.lambda_cw_logs_xml_to_json)
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_iam_policy" "policy_from_json" {
40 count = var.create_role && var.policy_json_attached ? 1 : 0
41 name = coalesce(var.policy_name, var.role_name, var.function_name)
42 [ policy = var.policy_json
43 tags = var.tags
44 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0/main.tf:68-106 (module.lambda_cw_logs_xml_to_json) 2 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 2.238876ms
parsing 1.064014636s
adaptation 1.26531ms
checks 4.208924ms
total 1.071727746s

counts
──────────────────────────────────────────
modules downloaded 2
modules processed 7
blocks processed 390
files read 84

results
──────────────────────────────────────────
passed 14
ignored 3
critical 0
high 2
medium 0
low 0

14 passed, 3 ignored, 2 potential problem(s) detected.

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:184
via main.tf:33-139 (module.baseline)
────────────────────────────────────────────────────────────────────────────────
181 resource "aws_s3_bucket_versioning" "default" {
182 bucket = aws_s3_bucket.default.id
183 versioning_configuration {
184 [ status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
185 }
186 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.668803ms
parsing 1.253245361s
adaptation 666.814µs
checks 3.984013ms
total 1.259564991s

counts
──────────────────────────────────────────
modules downloaded 1
modules processed 7
blocks processed 346
files read 82

results
──────────────────────────────────────────
passed 9
ignored 4
critical 0
high 0
medium 1
low 0

9 passed, 4 ignored, 1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
2024-02-16 14:36:22,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function:None (for external modules, the --download-external-modules flag is required)
2024-02-16 14:36:22,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 153, Failed checks: 2, Skipped checks: 26

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ad-clean-up-lambda
	File: /lambda.tf:8-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		8  | module "ad-clean-up-lambda" {
		9  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1
		10 | 
		11 |   application_name = local.lambda_ad_object_cleanup.function_name
		12 |   function_name    = local.lambda_ad_object_cleanup.function_name
		13 |   description      = "Lambda to remove corresponding computer object from Active Directory upon server termination"
		14 |   package_type     = "Zip"
		15 |   filename         = data.archive_file.ad-cleanup-lambda.output_path
		16 |   source_code_hash = data.archive_file.ad-cleanup-lambda.output_base64sha256
		17 |   handler          = "lambda_function.lambda_handler"
		18 |   runtime          = "python3.8"
		19 | 
		20 |   create_role = false
		21 |   lambda_role = aws_iam_role.lambda-ad-role.arn
		22 | 
		23 |   vpc_subnet_ids         = tolist(data.aws_subnets.shared-private.ids)
		24 |   vpc_security_group_ids = [module.baseline.security_groups["domain"].id]
		25 | 
		26 |   tags = merge(
		27 |     local.tags,
		28 |     {
		29 |       Name = "ad-object-clean-up-lambda"
		30 |     },
		31 |   )
		32 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lambda_cw_logs_xml_to_json
	File: /lambda.tf:68-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		68  | module "lambda_cw_logs_xml_to_json" {
		69  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0"
		70  | 
		71  |   application_name = local.lambda_cw_logs_xml_to_json.function_name
		72  |   function_name    = local.lambda_cw_logs_xml_to_json.function_name
		73  |   role_name        = local.lambda_cw_logs_xml_to_json.function_name
		74  | 
		75  |   package_type     = "Zip"
		76  |   filename         = "${path.module}/lambda/cw-xml-to-json/deployment_package.zip"
		77  |   source_code_hash = filebase64sha256("${path.module}/lambda/cw-xml-to-json/deployment_package.zip")
		78  |   runtime          = "python3.12"
		79  |   handler          = "lambda_function.lambda_handler"
		80  | 
		81  |   policy_json_attached = true
		82  |   policy_json = jsonencode({
		83  |     Version = "2012-10-17",
		84  |     Statement = [
		85  |       {
		86  |         Action = [
		87  |           "logs:CreateLogGroup",
		88  |           "logs:CreateLogStream",
		89  |           "logs:PutLogEvents",
		90  |           "logs:DescribeLogStreams"
		91  |         ],
		92  |         Effect   = "Allow",
		93  |         Resource = "arn:aws:logs:*:*:*"
		94  |       },
		95  |     ]
		96  |   })
		97  | 
		98  |   allowed_triggers = {
		99  |     AllowExecutionFromCloudWatch = {
		100 |       principal  = "logs.amazonaws.com"
		101 |       source_arn = "${module.baseline.cloudwatch_log_groups[local.lambda_cw_logs_xml_to_json.monitored_log_group].arn}:*"
		102 |     }
		103 |   }
		104 | 
		105 |   tags = {}
		106 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 124, Failed checks: 0, Skipped checks: 26


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" is not pinned (terraform_module_pinned_source)

  on terraform/environments/corporate-staff-rostering/lambda.tf line 9:
   9:   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/corporate-staff-rostering/lambda.tf line 34:
  34: data "archive_file" "ad-cleanup-lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan

Show Output