Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump ecs-cluster::modernisation-platform-terraform-ecs-cluster from 4.0.3 to 4.2.1 in /terraform/environments/example #5988

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 8, 2024

Bumps ecs-cluster::modernisation-platform-terraform-ecs-cluster from 4.0.3 to 4.2.1.

Release notes

Sourced from ecs-cluster::modernisation-platform-terraform-ecs-cluster's releases.

v4.2.1

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.2.0...v4.2.1

v4.2.0

What's New

Mount points are now supported in a container definition

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.1.1...v4.2.0

v4.1.1

Change to replace [*] with [0] to select one item not a list.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.1.0...v4.1.1

4.1.0

Introduced new attributes that can be passed into the module. See below for details of all changes.

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.0.3...v4.1.0

Commits
  • e4f82fe 📝 Add Documentation for the container definition module (#143)
  • 49dba4d Merge pull request #142 from ministryofjustice/dependabot/github_actions/brid...
  • 91660d0 Build(deps): Bump bridgecrewio/checkov-action
  • 1a927b6 Merge pull request #141 from ministryofjustice/dependabot/github_actions/acti...
  • bd7af0d Build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1
  • 754e008 Merge pull request #140 from ministryofjustice/feature/6675-github-action-sta...
  • 44f79f1 feature/6675-GitHub Action Status Badges
  • f8bdd52 Merge pull request #138 from ministryofjustice/mount-points-bug
  • 804641b add mount points to json
  • c0e0768 Merge pull request #137 from ministryofjustice/no-splatting
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [ecs-cluster::modernisation-platform-terraform-ecs-cluster](https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster) from 4.0.3 to 4.2.1.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.0.3...v4.2.1)

---
updated-dependencies:
- dependency-name: ecs-cluster::github::ministryofjustice/modernisation-platform-terraform-ecs-cluster::v4.0.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner May 8, 2024 00:29
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels May 8, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 8, 2024
Copy link
Contributor

github-actions bot commented May 8, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/example


Running Trivy in terraform/environments/example
2024-05-08T00:31:51Z INFO Need to update DB
2024-05-08T00:31:51Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-08T00:31:53Z INFO Vulnerability scanning is enabled
2024-05-08T00:31:53Z INFO Misconfiguration scanning is enabled
2024-05-08T00:31:53Z INFO Need to update the built-in policies
2024-05-08T00:31:53Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-08T00:31:54Z INFO Secret scanning is enabled
2024-05-08T00:31:54Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T00:31:54Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T00:32:03Z INFO Number of language-specific files num=0
2024-05-08T00:32:03Z INFO Detected config files num=17

ec2.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_autoscaling_group.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_complete.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2_complete.tf:233
via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
225 resource "aws_security_group_rule" "complete_egress_traffic" {
226 for_each = local.complete_ec2_sg_egress_rules
227 description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
228 from_port = each.value.from_port
229 protocol = each.value.protocol
230 security_group_id = aws_security_group.example_ec2_sg.id
231 to_port = each.value.to_port
232 type = "egress"
233 [ cidr_blocks = [each.value.cidr_block]
234 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:210
via ecs.tf:205-212 (content)
via ecs.tf:203-213 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:187-215 (aws_security_group.cluster_ec2)
────────────────────────────────────────
187 resource "aws_security_group" "cluster_ec2" {
...
210 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
215 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template" "this" {
.
44 [ http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:325-341
────────────────────────────────────────
325 ┌ resource "aws_instance" "lb_example_instance" {
326 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
327 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)
328 │ instance_type = local.application_data.accounts[local.environment].instance_type
329 │ ami = local.application_data.accounts[local.environment].ami_image_id
330 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
331 │ subnet_id = data.aws_subnet.private_subnets_a.id
332 │ monitoring = true
333 └ ebs_optimized = true
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/example

*****************************

Running Checkov in terraform/environments/example
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=edc55b4005b7039e5b54ad7805e89a473fe3c3dd:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,708 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v3.0.0:None (for external modules, the --download-external-modules flag is required)
2024-05-08 00:32:05,709 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 244, Failed checks: 30, Skipped checks: 20

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /ec2.tf:184-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		184 | data "aws_iam_policy_document" "ebs-kms" {
		185 |   #checkov:skip=CKV_AWS_111
		186 |   #checkov:skip=CKV_AWS_109
		187 |   statement {
		188 |     effect    = "Allow"
		189 |     actions   = ["kms:*"]
		190 |     resources = ["*"]
		191 | 
		192 |     principals {
		193 |       type = "Service"
		194 |       identifiers = [
		195 |       "ec2.amazonaws.com"]
		196 |     }
		197 |   }
		198 |   statement {
		199 |     effect    = "Allow"
		200 |     actions   = ["kms:*"]
		201 |     resources = ["*"]
		202 | 
		203 |     principals {
		204 |       type = "AWS"
		205 |       identifiers = [
		206 |       "arn:aws:iam::${data.aws_caller_identity.original_session.id}:root"]
		207 |     }
		208 |   }
		209 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-1"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-2"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_autoscaling_group["dev-rh-rhel79"]
	File: /ec2_autoscaling_group.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ec2_test_autoscaling_group" {
		2  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1"
		3  | 
		4  |   providers = {
		5  |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		6  |   }
		7  |   for_each                      = try(local.ec2_test.ec2_test_autoscaling_groups, {})
		8  |   name                          = each.key
		9  |   ami_name                      = each.value.ami_name
		10 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		11 |   instance                      = merge(local.autoscale_instance, lookup(each.value, "instance", {}))
		12 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		13 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		14 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		15 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		16 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		17 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		18 |   autoscaling_group             = merge(local.ec2_test.autoscaling_group, lookup(each.value, "autoscaling_group", {}))
		19 |   autoscaling_schedules         = lookup(each.value, "autoscaling_schedules", local.autoscaling_schedules_default)
		20 | 
		21 |   iam_resource_names_prefix = "ec2-test-asg"
		22 |   instance_profile_policies = local.ec2_autoscale_common_managed_policies
		23 |   application_name          = local.application_name
		24 |   region                    = local.region
		25 |   subnet_ids                = module.environment.subnets["private"].ids
		26 |   tags                      = merge(local.ec2_test.tags, try(each.value.tags, {}))
		27 |   account_ids_lookup        = local.environment_management.account_ids
		28 |   cloudwatch_metric_alarms  = {}
		29 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs-cluster
	File: /ecs.tf:5-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "ecs-cluster" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1"
		7  | 
		8  |   ec2_capacity_instance_type     = local.application_data.accounts[local.environment].container_instance_type
		9  |   ec2_capacity_max_size          = local.application_data.accounts[local.environment].ec2_max_size
		10 |   ec2_capacity_min_size          = local.application_data.accounts[local.environment].ec2_min_size
		11 |   ec2_capacity_security_group_id = aws_security_group.cluster_ec2.id
		12 |   ec2_subnet_ids = [
		13 |     data.aws_subnet.private_subnets_a.id,
		14 |     data.aws_subnet.private_subnets_b.id,
		15 |     data.aws_subnet.private_subnets_c.id
		16 |   ]
		17 |   environment = local.environment
		18 |   name        = local.ecs_application_name
		19 |   namespace   = "platforms"
		20 |   tags        = local.tags
		21 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: service
	File: /ecs.tf:23-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "service" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v3.0.0"
		25 | 
		26 |   container_definition_json = templatefile("${path.module}/templates/task_definition.json.tftpl", {})
		27 |   ecs_cluster_arn           = module.ecs-cluster.ecs_cluster_arn
		28 |   name                      = "${local.ecs_application_name}-task_definition_volume"
		29 |   namespace                 = "platforms"
		30 |   vpc_id                    = local.vpc_all
		31 | 
		32 |   launch_type  = local.application_data.accounts[local.environment].launch_type
		33 |   network_mode = local.application_data.accounts[local.environment].network_mode
		34 | 
		35 |   task_cpu    = local.application_data.accounts[local.environment].container_cpu
		36 |   task_memory = local.application_data.accounts[local.environment].container_memory
		37 | 
		38 |   task_exec_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.ecs_application_name}-ecs-task-execution-role"
		39 | 
		40 |   environment = local.environment
		41 |   ecs_load_balancers = [
		42 |     {
		43 |       target_group_arn = aws_lb_target_group.ecs_target_group.arn
		44 |       container_name   = local.ecs_application_name
		45 |       container_port   = 80
		46 |     }
		47 |   ]
		48 | 
		49 |   subnet_ids = [
		50 |     data.aws_subnet.private_subnets_a.id,
		51 |     data.aws_subnet.private_subnets_b.id,
		52 |     data.aws_subnet.private_subnets_c.id
		53 |   ]
		54 | 
		55 |   ignore_changes_task_definition = false
		56 |   tags                           = local.tags
		57 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_lb_access_logs_enabled
	File: /ecs.tf:125-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		125 | module "ecs_lb_access_logs_enabled" {
		126 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		127 |   providers = {
		128 |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		129 |     # Need to pass the provider to the S3 bucket module
		130 |     aws.bucket-replication = aws
		131 |   }
		132 |   vpc_all = "${local.vpc_name}-${local.environment}"
		133 |   #existing_bucket_name               = "my-bucket-name"
		134 |   force_destroy_bucket       = true # enables destruction of logging bucket
		135 |   application_name           = local.ecs_application_name
		136 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		137 |   loadbalancer_ingress_rules = local.ecs_loadbalancer_ingress_rules
		138 |   loadbalancer_egress_rules  = local.ecs_loadbalancer_egress_rules
		139 |   tags                       = local.tags
		140 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		141 |   region                     = "eu-west-2"
		142 |   enable_deletion_protection = false
		143 |   idle_timeout               = 60
		144 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-lb
	File: /loadbalancer.tf:182-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.lb_example_instance
	File: /loadbalancer.tf:325-341
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		325 | resource "aws_instance" "lb_example_instance" {
		326 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		327 |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		328 |   instance_type          = local.application_data.accounts[local.environment].instance_type
		329 |   ami                    = local.application_data.accounts[local.environment].ami_image_id
		330 |   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
		331 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		332 |   monitoring             = true
		333 |   ebs_optimized          = true
		334 | 
		335 |   metadata_options {
		336 |     http_endpoint = "enabled"
		337 |     http_tokens   = "required"
		338 |   }
		339 |   tags       = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) }
		340 |   depends_on = [aws_security_group.example_load_balancer_sg]
		341 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lb_access_logs_enabled
	File: /loadbalancer_module.tf:2-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "lb_access_logs_enabled" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		4  |   providers = {
		5  |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		6  |     # Need to pass the provider to the S3 bucket module
		7  |     aws.bucket-replication = aws
		8  |   }
		9  |   vpc_all = "${local.vpc_name}-${local.environment}"
		10 |   #existing_bucket_name               = "my-bucket-name"
		11 |   force_destroy_bucket       = true # enables destruction of logging bucket
		12 |   application_name           = local.application_name
		13 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		14 |   loadbalancer_ingress_rules = local.loadbalancer_ingress_rules
		15 |   loadbalancer_egress_rules  = local.loadbalancer_egress_rules
		16 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		17 |   region                     = "eu-west-2"
		18 |   enable_deletion_protection = false
		19 |   idle_timeout               = 60
		20 |   tags                       = {}
		21 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /s3.tf:8-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.example_ec2_autoscale_sg
	File: /ec2_autoscaling_group.tf:73-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		73 | resource "aws_security_group" "example_ec2_autoscale_sg" {
		74 |   name        = "example_ec2_autoscale_sg"
		75 |   description = "Controls access to EC2"
		76 |   vpc_id      = data.aws_vpc.shared.id
		77 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		78 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.complete_example_ec2_sg
	File: /ec2_complete.tf:207-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		207 | resource "aws_security_group" "complete_example_ec2_sg" {
		208 |   name        = "complete_ec2_sg"
		209 |   description = "Ingress and Egress Access Controls for EC2"
		210 |   vpc_id      = data.aws_vpc.shared.id
		211 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		212 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:187-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		187 | resource "aws_security_group" "cluster_ec2" {
		188 |   #checkov:skip=CKV_AWS_23
		189 |   name        = "cluster_ec2"
		190 |   description = "controls access to the cluster ec2 instance"
		191 |   vpc_id      = data.aws_vpc.shared.id
		192 |   dynamic "ingress" {
		193 |     for_each = local.ec2_ingress_rules
		194 |     content {
		195 |       description     = lookup(ingress.value, "description", null)
		196 |       from_port       = lookup(ingress.value, "from_port", null)
		197 |       to_port         = lookup(ingress.value, "to_port", null)
		198 |       protocol        = lookup(ingress.value, "protocol", null)
		199 |       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
		200 |       security_groups = lookup(ingress.value, "security_groups", null)
		201 |     }
		202 |   }
		203 |   dynamic "egress" {
		204 |     for_each = local.ec2_egress_rules
		205 |     content {
		206 |       description     = lookup(egress.value, "description", null)
		207 |       from_port       = lookup(egress.value, "from_port", null)
		208 |       to_port         = lookup(egress.value, "to_port", null)
		209 |       protocol        = lookup(egress.value, "protocol", null)
		210 |       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
		211 |       security_groups = lookup(egress.value, "security_groups", null)
		212 |     }
		213 |   }
		214 |   tags = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		215 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /rds.tf:76-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "db_password" {
		77 |   #checkov:skip=CKV_AWS_149
		78 |   name                    = "${var.networking[0].application}-db-password"
		79 |   recovery_window_in_days = 0
		80 |   tags = merge(
		81 |     local.tags,
		82 |     {
		83 |       Name = "${var.networking[0].application}-db-password"
		84 |     },
		85 |   )
		86 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.certificate_example_lb
	File: /certificates.tf:63-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		63 | resource "aws_lb" "certificate_example_lb" {
		64 |   name               = "certificate-example-loadbalancer"
		65 |   load_balancer_type = "application"
		66 |   subnets            = data.aws_subnets.shared-public.ids
		67 |   #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
		68 |   enable_deletion_protection = false
		69 |   # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
		70 |   idle_timeout               = 240
		71 |   drop_invalid_header_fields = true
		72 | 
		73 |   security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
		74 | 
		75 |   access_logs {
		76 |     bucket  = module.s3-bucket-lb.bucket.id
		77 |     prefix  = "test-lb"
		78 |     enabled = true
		79 |   }
		80 | 
		81 |   tags       = { Name = "${local.application_name}-external-loadbalancer" }
		82 |   depends_on = [aws_security_group.certificate_example_load_balancer_sg]
		83 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/example

*****************************

Running tflint in terraform/environments/example
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/example/rds.tf line 93:
  93: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/example

*****************************

Running Trivy in terraform/environments/example
2024-05-08T00:31:51Z	INFO	Need to update DB
2024-05-08T00:31:51Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-08T00:31:53Z	INFO	Vulnerability scanning is enabled
2024-05-08T00:31:53Z	INFO	Misconfiguration scanning is enabled
2024-05-08T00:31:53Z	INFO	Need to update the built-in policies
2024-05-08T00:31:53Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-08T00:31:54Z	INFO	Secret scanning is enabled
2024-05-08T00:31:54Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T00:31:54Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T00:32:03Z	INFO	Number of language-specific files	num=0
2024-05-08T00:32:03Z	INFO	Detected config files	num=17

ec2.tf (terraform)
==================
Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_autoscaling_group.tf (terraform)
====================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_complete.tf (terraform)
===========================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2_complete.tf:233
   via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
 225   resource "aws_security_group_rule" "complete_egress_traffic" {
 226     for_each          = local.complete_ec2_sg_egress_rules
 227     description       = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
 228     from_port         = each.value.from_port
 229     protocol          = each.value.protocol
 230     security_group_id = aws_security_group.example_ec2_sg.id
 231     to_port           = each.value.to_port
 232     type              = "egress"
 233 [   cidr_blocks       = [each.value.cidr_block]
 234   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:210
   via ecs.tf:205-212 (content)
    via ecs.tf:203-213 (dynamic.egress["cluster_ec2_lb_egress"])
     via ecs.tf:187-215 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 187   resource "aws_security_group" "cluster_ec2" {
 ...   
 210 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 215   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)
==================================================================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
   via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
    via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
     via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
   1   resource "aws_launch_template" "this" {
   .   
  44 [     http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
  ..   
  99   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
==============================================================================================================================================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)
=========================================================================================================
Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 loadbalancer.tf:325-341
────────────────────────────────────────
 325resource "aws_instance" "lb_example_instance" {
 326#checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
 327# Specify the instance type and ami to be used (this is the Amazon free tier option)
 328 │   instance_type          = local.application_data.accounts[local.environment].instance_type
 329 │   ami                    = local.application_data.accounts[local.environment].ami_image_id
 330 │   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
 331 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 332 │   monitoring             = true
 333 └   ebs_optimized          = true
 ...   
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor Author

dependabot bot commented on behalf of github May 15, 2024

Superseded by #6083.

@dependabot dependabot bot closed this May 15, 2024
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/ecs-cluster--github--ministryofjustice/modernisation-platform-terraform-ecs-cluster--v4.0.3-4.2.1 branch May 15, 2024 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants