Bump service::modernisation-platform-terraform-ecs-cluster from 3.0.0 to 4.3.0 in /terraform/environments/example

[dependabot]

Bumps service::modernisation-platform-terraform-ecs-cluster from 3.0.0 to 4.3.0.

Release notes

Sourced from service::modernisation-platform-terraform-ecs-cluster's releases.

v4.3.0

What's Changed

• Numerous dependabot bumps
• updated README.md by @​Khatraf in ministryofjustice/modernisation-platform-terraform-ecs-cluster#139
• Don't force nonsensitive value for container definitions by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#155
• Make mount points optional by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#156

New Contributors

• @​Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-ecs-cluster#139

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.2.1...v4.3.0

v4.2.1

What's Changed

• feature/6675-GitHub Action Status Badges by @​Kudzai-moj in ministryofjustice/modernisation-platform-terraform-ecs-cluster#140
• Build(deps): Bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot in ministryofjustice/modernisation-platform-terraform-ecs-cluster#141
• Build(deps): Bump bridgecrewio/checkov-action from 12.2726.0 to 12.2731.0 by @​dependabot in ministryofjustice/modernisation-platform-terraform-ecs-cluster#142
• 📝 Add Documentation for the container definition module by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#143

New Contributors

• @​Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-ecs-cluster#140

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.2.0...v4.2.1

v4.2.0

What's New

Mount points are now supported in a container definition

What's Changed

• Add missing mount points key to json by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#138

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.1.1...v4.2.0

v4.1.1

Change to replace [*] with [0] to select one item not a list.

What's Changed

• Feature/trivy by @​ep-93 in ministryofjustice/modernisation-platform-terraform-ecs-cluster#136
• Remove splat operator from output to get string not string by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#137

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.1.0...v4.1.1

4.1.0

Introduced new attributes that can be passed into the module. See below for details of all changes.

What's Changed

• Build(deps): Bump bridgecrewio/checkov-action from 12.2725.0 to 12.2726.0 by @​dependabot in ministryofjustice/modernisation-platform-terraform-ecs-cluster#126
• Build(deps): Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @​dependabot in ministryofjustice/modernisation-platform-terraform-ecs-cluster#127
• Build(deps): Bump github/codeql-action from 3.25.1 to 3.25.2 by @​dependabot in ministryofjustice/modernisation-platform-terraform-ecs-cluster#128

... (truncated)

Commits

• b006479 Merge pull request #157 from ministryofjustice/dependabot/github_actions/gith...
• 521ae82 Merge pull request #156 from ministryofjustice/mount-points-optional
• 659ce2e Merge pull request #155 from ministryofjustice/nonsensitive-container-defs
• bdb15db Merge pull request #139 from ministryofjustice/docs/update-README-file
• e22a720 Build(deps): Bump github/codeql-action from 3.25.4 to 3.25.5
• e28af24 terraform-docs: automated action
• 322c719 make mount points optional
• b19d811 Update task_def.tf
• 380d206 Merge pull request #154 from ministryofjustice/dependabot/github_actions/brid...
• 07dc9da Merge pull request #153 from ministryofjustice/dependabot/github_actions/ossf...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/example

---

Running Trivy in terraform/environments/example
2024-05-15T00:30:17Z INFO Need to update DB
2024-05-15T00:30:17Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T00:30:19Z INFO Vulnerability scanning is enabled
2024-05-15T00:30:19Z INFO Misconfiguration scanning is enabled
2024-05-15T00:30:19Z INFO Need to update the built-in policies
2024-05-15T00:30:19Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T00:30:19Z INFO Secret scanning is enabled
2024-05-15T00:30:19Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T00:30:19Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T00:30:23Z INFO Number of language-specific files num=0
2024-05-15T00:30:23Z INFO Detected config files num=17

ec2.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_autoscaling_group.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_complete.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2_complete.tf:233
via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
225 resource "aws_security_group_rule" "complete_egress_traffic" {
226 for_each = local.complete_ec2_sg_egress_rules
227 description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
228 from_port = each.value.from_port
229 protocol = each.value.protocol
230 security_group_id = aws_security_group.example_ec2_sg.id
231 to_port = each.value.to_port
232 type = "egress"
233 [ cidr_blocks = [each.value.cidr_block]
234 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:210
via ecs.tf:205-212 (content)
via ecs.tf:203-213 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:187-215 (aws_security_group.cluster_ec2)
────────────────────────────────────────
187 resource "aws_security_group" "cluster_ec2" {
...
210 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
215 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template" "this" {
.
44 [ http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:325-341
────────────────────────────────────────
325 ┌ resource "aws_instance" "lb_example_instance" {
326 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
327 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)
328 │ instance_type = local.application_data.accounts[local.environment].instance_type
329 │ ami = local.application_data.accounts[local.environment].ami_image_id
330 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
331 │ subnet_id = data.aws_subnet.private_subnets_a.id
332 │ monitoring = true
333 └ ebs_optimized = true
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/example

*****************************

Running Checkov in terraform/environments/example
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=edc55b4005b7039e5b54ad7805e89a473fe3c3dd:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.0.3:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:30:26,315 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 244, Failed checks: 30, Skipped checks: 20

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /ec2.tf:184-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		184 | data "aws_iam_policy_document" "ebs-kms" {
		185 |   #checkov:skip=CKV_AWS_111
		186 |   #checkov:skip=CKV_AWS_109
		187 |   statement {
		188 |     effect    = "Allow"
		189 |     actions   = ["kms:*"]
		190 |     resources = ["*"]
		191 | 
		192 |     principals {
		193 |       type = "Service"
		194 |       identifiers = [
		195 |       "ec2.amazonaws.com"]
		196 |     }
		197 |   }
		198 |   statement {
		199 |     effect    = "Allow"
		200 |     actions   = ["kms:*"]
		201 |     resources = ["*"]
		202 | 
		203 |     principals {
		204 |       type = "AWS"
		205 |       identifiers = [
		206 |       "arn:aws:iam::${data.aws_caller_identity.original_session.id}:root"]
		207 |     }
		208 |   }
		209 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-1"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-2"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_autoscaling_group["dev-rh-rhel79"]
	File: /ec2_autoscaling_group.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ec2_test_autoscaling_group" {
		2  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1"
		3  | 
		4  |   providers = {
		5  |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		6  |   }
		7  |   for_each                      = try(local.ec2_test.ec2_test_autoscaling_groups, {})
		8  |   name                          = each.key
		9  |   ami_name                      = each.value.ami_name
		10 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		11 |   instance                      = merge(local.autoscale_instance, lookup(each.value, "instance", {}))
		12 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		13 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		14 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		15 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		16 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		17 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		18 |   autoscaling_group             = merge(local.ec2_test.autoscaling_group, lookup(each.value, "autoscaling_group", {}))
		19 |   autoscaling_schedules         = lookup(each.value, "autoscaling_schedules", local.autoscaling_schedules_default)
		20 | 
		21 |   iam_resource_names_prefix = "ec2-test-asg"
		22 |   instance_profile_policies = local.ec2_autoscale_common_managed_policies
		23 |   application_name          = local.application_name
		24 |   region                    = local.region
		25 |   subnet_ids                = module.environment.subnets["private"].ids
		26 |   tags                      = merge(local.ec2_test.tags, try(each.value.tags, {}))
		27 |   account_ids_lookup        = local.environment_management.account_ids
		28 |   cloudwatch_metric_alarms  = {}
		29 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs-cluster
	File: /ecs.tf:5-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "ecs-cluster" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.0.3"
		7  | 
		8  |   ec2_capacity_instance_type     = local.application_data.accounts[local.environment].container_instance_type
		9  |   ec2_capacity_max_size          = local.application_data.accounts[local.environment].ec2_max_size
		10 |   ec2_capacity_min_size          = local.application_data.accounts[local.environment].ec2_min_size
		11 |   ec2_capacity_security_group_id = aws_security_group.cluster_ec2.id
		12 |   ec2_subnet_ids = [
		13 |     data.aws_subnet.private_subnets_a.id,
		14 |     data.aws_subnet.private_subnets_b.id,
		15 |     data.aws_subnet.private_subnets_c.id
		16 |   ]
		17 |   environment = local.environment
		18 |   name        = local.ecs_application_name
		19 |   namespace   = "platforms"
		20 |   tags        = local.tags
		21 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: service
	File: /ecs.tf:23-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "service" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		25 | 
		26 |   container_definition_json = templatefile("${path.module}/templates/task_definition.json.tftpl", {})
		27 |   ecs_cluster_arn           = module.ecs-cluster.ecs_cluster_arn
		28 |   name                      = "${local.ecs_application_name}-task_definition_volume"
		29 |   namespace                 = "platforms"
		30 |   vpc_id                    = local.vpc_all
		31 | 
		32 |   launch_type  = local.application_data.accounts[local.environment].launch_type
		33 |   network_mode = local.application_data.accounts[local.environment].network_mode
		34 | 
		35 |   task_cpu    = local.application_data.accounts[local.environment].container_cpu
		36 |   task_memory = local.application_data.accounts[local.environment].container_memory
		37 | 
		38 |   task_exec_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.ecs_application_name}-ecs-task-execution-role"
		39 | 
		40 |   environment = local.environment
		41 |   ecs_load_balancers = [
		42 |     {
		43 |       target_group_arn = aws_lb_target_group.ecs_target_group.arn
		44 |       container_name   = local.ecs_application_name
		45 |       container_port   = 80
		46 |     }
		47 |   ]
		48 | 
		49 |   subnet_ids = [
		50 |     data.aws_subnet.private_subnets_a.id,
		51 |     data.aws_subnet.private_subnets_b.id,
		52 |     data.aws_subnet.private_subnets_c.id
		53 |   ]
		54 | 
		55 |   ignore_changes_task_definition = false
		56 |   tags                           = local.tags
		57 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_lb_access_logs_enabled
	File: /ecs.tf:125-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		125 | module "ecs_lb_access_logs_enabled" {
		126 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		127 |   providers = {
		128 |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		129 |     # Need to pass the provider to the S3 bucket module
		130 |     aws.bucket-replication = aws
		131 |   }
		132 |   vpc_all = "${local.vpc_name}-${local.environment}"
		133 |   #existing_bucket_name               = "my-bucket-name"
		134 |   force_destroy_bucket       = true # enables destruction of logging bucket
		135 |   application_name           = local.ecs_application_name
		136 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		137 |   loadbalancer_ingress_rules = local.ecs_loadbalancer_ingress_rules
		138 |   loadbalancer_egress_rules  = local.ecs_loadbalancer_egress_rules
		139 |   tags                       = local.tags
		140 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		141 |   region                     = "eu-west-2"
		142 |   enable_deletion_protection = false
		143 |   idle_timeout               = 60
		144 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.lb_example_instance
	File: /loadbalancer.tf:325-341
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		325 | resource "aws_instance" "lb_example_instance" {
		326 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		327 |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		328 |   instance_type          = local.application_data.accounts[local.environment].instance_type
		329 |   ami                    = local.application_data.accounts[local.environment].ami_image_id
		330 |   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
		331 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		332 |   monitoring             = true
		333 |   ebs_optimized          = true
		334 | 
		335 |   metadata_options {
		336 |     http_endpoint = "enabled"
		337 |     http_tokens   = "required"
		338 |   }
		339 |   tags       = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) }
		340 |   depends_on = [aws_security_group.example_load_balancer_sg]
		341 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-lb
	File: /loadbalancer.tf:182-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lb_access_logs_enabled
	File: /loadbalancer_module.tf:2-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "lb_access_logs_enabled" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		4  |   providers = {
		5  |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		6  |     # Need to pass the provider to the S3 bucket module
		7  |     aws.bucket-replication = aws
		8  |   }
		9  |   vpc_all = "${local.vpc_name}-${local.environment}"
		10 |   #existing_bucket_name               = "my-bucket-name"
		11 |   force_destroy_bucket       = true # enables destruction of logging bucket
		12 |   application_name           = local.application_name
		13 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		14 |   loadbalancer_ingress_rules = local.loadbalancer_ingress_rules
		15 |   loadbalancer_egress_rules  = local.loadbalancer_egress_rules
		16 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		17 |   region                     = "eu-west-2"
		18 |   enable_deletion_protection = false
		19 |   idle_timeout               = 60
		20 |   tags                       = {}
		21 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /s3.tf:8-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.example_ec2_autoscale_sg
	File: /ec2_autoscaling_group.tf:73-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		73 | resource "aws_security_group" "example_ec2_autoscale_sg" {
		74 |   name        = "example_ec2_autoscale_sg"
		75 |   description = "Controls access to EC2"
		76 |   vpc_id      = data.aws_vpc.shared.id
		77 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		78 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.complete_example_ec2_sg
	File: /ec2_complete.tf:207-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		207 | resource "aws_security_group" "complete_example_ec2_sg" {
		208 |   name        = "complete_ec2_sg"
		209 |   description = "Ingress and Egress Access Controls for EC2"
		210 |   vpc_id      = data.aws_vpc.shared.id
		211 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		212 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:187-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		187 | resource "aws_security_group" "cluster_ec2" {
		188 |   #checkov:skip=CKV_AWS_23
		189 |   name        = "cluster_ec2"
		190 |   description = "controls access to the cluster ec2 instance"
		191 |   vpc_id      = data.aws_vpc.shared.id
		192 |   dynamic "ingress" {
		193 |     for_each = local.ec2_ingress_rules
		194 |     content {
		195 |       description     = lookup(ingress.value, "description", null)
		196 |       from_port       = lookup(ingress.value, "from_port", null)
		197 |       to_port         = lookup(ingress.value, "to_port", null)
		198 |       protocol        = lookup(ingress.value, "protocol", null)
		199 |       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
		200 |       security_groups = lookup(ingress.value, "security_groups", null)
		201 |     }
		202 |   }
		203 |   dynamic "egress" {
		204 |     for_each = local.ec2_egress_rules
		205 |     content {
		206 |       description     = lookup(egress.value, "description", null)
		207 |       from_port       = lookup(egress.value, "from_port", null)
		208 |       to_port         = lookup(egress.value, "to_port", null)
		209 |       protocol        = lookup(egress.value, "protocol", null)
		210 |       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
		211 |       security_groups = lookup(egress.value, "security_groups", null)
		212 |     }
		213 |   }
		214 |   tags = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		215 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /rds.tf:76-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "db_password" {
		77 |   #checkov:skip=CKV_AWS_149
		78 |   name                    = "${var.networking[0].application}-db-password"
		79 |   recovery_window_in_days = 0
		80 |   tags = merge(
		81 |     local.tags,
		82 |     {
		83 |       Name = "${var.networking[0].application}-db-password"
		84 |     },
		85 |   )
		86 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.certificate_example_lb
	File: /certificates.tf:63-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		63 | resource "aws_lb" "certificate_example_lb" {
		64 |   name               = "certificate-example-loadbalancer"
		65 |   load_balancer_type = "application"
		66 |   subnets            = data.aws_subnets.shared-public.ids
		67 |   #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
		68 |   enable_deletion_protection = false
		69 |   # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
		70 |   idle_timeout               = 240
		71 |   drop_invalid_header_fields = true
		72 | 
		73 |   security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
		74 | 
		75 |   access_logs {
		76 |     bucket  = module.s3-bucket-lb.bucket.id
		77 |     prefix  = "test-lb"
		78 |     enabled = true
		79 |   }
		80 | 
		81 |   tags       = { Name = "${local.application_name}-external-loadbalancer" }
		82 |   depends_on = [aws_security_group.certificate_example_load_balancer_sg]
		83 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/example

*****************************

Running tflint in terraform/environments/example
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/example/rds.tf line 93:
  93: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/example

*****************************

Running Trivy in terraform/environments/example
2024-05-15T00:30:17Z	INFO	Need to update DB
2024-05-15T00:30:17Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T00:30:19Z	INFO	Vulnerability scanning is enabled
2024-05-15T00:30:19Z	INFO	Misconfiguration scanning is enabled
2024-05-15T00:30:19Z	INFO	Need to update the built-in policies
2024-05-15T00:30:19Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T00:30:19Z	INFO	Secret scanning is enabled
2024-05-15T00:30:19Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T00:30:19Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T00:30:23Z	INFO	Number of language-specific files	num=0
2024-05-15T00:30:23Z	INFO	Detected config files	num=17

ec2.tf (terraform)
==================
Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_autoscaling_group.tf (terraform)
====================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_complete.tf (terraform)
===========================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2_complete.tf:233
   via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
 225   resource "aws_security_group_rule" "complete_egress_traffic" {
 226     for_each          = local.complete_ec2_sg_egress_rules
 227     description       = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
 228     from_port         = each.value.from_port
 229     protocol          = each.value.protocol
 230     security_group_id = aws_security_group.example_ec2_sg.id
 231     to_port           = each.value.to_port
 232     type              = "egress"
 233 [   cidr_blocks       = [each.value.cidr_block]
 234   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:210
   via ecs.tf:205-212 (content)
    via ecs.tf:203-213 (dynamic.egress["cluster_ec2_lb_egress"])
     via ecs.tf:187-215 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 187   resource "aws_security_group" "cluster_ec2" {
 ...   
 210 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 215   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)
==================================================================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
   via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
    via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
     via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
   1   resource "aws_launch_template" "this" {
   .   
  44 [     http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
  ..   
  99   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
==============================================================================================================================================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)
=========================================================================================================
Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via ecs.tf:125-144 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 loadbalancer.tf:325-341
────────────────────────────────────────
 325 ┌ resource "aws_instance" "lb_example_instance" {
 326 │   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
 327 │   # Specify the instance type and ami to be used (this is the Amazon free tier option)
 328 │   instance_type          = local.application_data.accounts[local.environment].instance_type
 329 │   ami                    = local.application_data.accounts[local.environment].ami_image_id
 330 │   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
 331 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 332 │   monitoring             = true
 333 └   ebs_optimized          = true
 ...   
────────────────────────────────────────


trivy_exitcode=1

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/example

---

Running Trivy in terraform/environments/example
2024-05-15T10:25:14Z INFO Need to update DB
2024-05-15T10:25:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T10:25:16Z INFO Vulnerability scanning is enabled
2024-05-15T10:25:16Z INFO Misconfiguration scanning is enabled
2024-05-15T10:25:16Z INFO Need to update the built-in policies
2024-05-15T10:25:16Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T10:25:17Z INFO Secret scanning is enabled
2024-05-15T10:25:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T10:25:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T10:25:24Z INFO Number of language-specific files num=0
2024-05-15T10:25:24Z INFO Detected config files num=17

ec2.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_autoscaling_group.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_complete.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2_complete.tf:233
via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
225 resource "aws_security_group_rule" "complete_egress_traffic" {
226 for_each = local.complete_ec2_sg_egress_rules
227 description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
228 from_port = each.value.from_port
229 protocol = each.value.protocol
230 security_group_id = aws_security_group.example_ec2_sg.id
231 to_port = each.value.to_port
232 type = "egress"
233 [ cidr_blocks = [each.value.cidr_block]
234 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:213
via ecs.tf:208-215 (content)
via ecs.tf:206-216 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:190-218 (aws_security_group.cluster_ec2)
────────────────────────────────────────
190 resource "aws_security_group" "cluster_ec2" {
...
213 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
218 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template" "this" {
.
44 [ http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:325-341
────────────────────────────────────────
325 ┌ resource "aws_instance" "lb_example_instance" {
326 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
327 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)
328 │ instance_type = local.application_data.accounts[local.environment].instance_type
329 │ ami = local.application_data.accounts[local.environment].ami_image_id
330 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
331 │ subnet_id = data.aws_subnet.private_subnets_a.id
332 │ monitoring = true
333 └ ebs_optimized = true
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/example

*****************************

Running Checkov in terraform/environments/example
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-15 10:25:27,539 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=edc55b4005b7039e5b54ad7805e89a473fe3c3dd:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.0.3:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 10:25:27,540 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 256, Failed checks: 30, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-1"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_instance["example-test-2"]
	File: /ec2.tf:6-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ec2_test_instance" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.4.1"
		8  | 
		9  |   providers = {
		10 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |   }
		12 |   for_each                      = try(local.ec2_test.ec2_test_instances, {})
		13 |   name                          = each.key
		14 |   ami_name                      = each.value.ami_name
		15 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		16 |   instance                      = merge(local.instance, lookup(each.value, "instance", { disable_api_stop = false }))
		17 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		18 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		19 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		20 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		21 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		22 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		23 |   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))
		24 | 
		25 |   iam_resource_names_prefix = "ec2-test-instance"
		26 |   instance_profile_policies = local.ec2_common_managed_policies
		27 | 
		28 |   business_unit            = local.business_unit
		29 |   application_name         = local.application_name
		30 |   environment              = local.environment
		31 |   region                   = local.region
		32 |   availability_zone        = local.availability_zone_1
		33 |   subnet_id                = module.environment.subnet["private"][local.availability_zone_1].id
		34 |   tags                     = merge(local.ec2_test.tags, try(each.value.tags, {}))
		35 |   account_ids_lookup       = local.environment_management.account_ids
		36 |   cloudwatch_metric_alarms = {}
		37 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /ec2.tf:136-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		136 | data "aws_iam_policy_document" "ec2_policy" {
		137 |   statement {
		138 |     sid    = "CustomEc2Policy"
		139 |     effect = "Allow"
		140 |     actions = [
		141 |       "ec2:*"
		142 |     ]
		143 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		144 |   }
		145 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /ec2.tf:184-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		184 | data "aws_iam_policy_document" "ebs-kms" {
		185 |   #checkov:skip=CKV_AWS_111
		186 |   #checkov:skip=CKV_AWS_109
		187 |   statement {
		188 |     effect    = "Allow"
		189 |     actions   = ["kms:*"]
		190 |     resources = ["*"]
		191 | 
		192 |     principals {
		193 |       type = "Service"
		194 |       identifiers = [
		195 |       "ec2.amazonaws.com"]
		196 |     }
		197 |   }
		198 |   statement {
		199 |     effect    = "Allow"
		200 |     actions   = ["kms:*"]
		201 |     resources = ["*"]
		202 | 
		203 |     principals {
		204 |       type = "AWS"
		205 |       identifiers = [
		206 |       "arn:aws:iam::${data.aws_caller_identity.original_session.id}:root"]
		207 |     }
		208 |   }
		209 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_test_autoscaling_group["dev-rh-rhel79"]
	File: /ec2_autoscaling_group.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ec2_test_autoscaling_group" {
		2  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1"
		3  | 
		4  |   providers = {
		5  |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		6  |   }
		7  |   for_each                      = try(local.ec2_test.ec2_test_autoscaling_groups, {})
		8  |   name                          = each.key
		9  |   ami_name                      = each.value.ami_name
		10 |   ami_owner                     = try(each.value.ami_owner, "core-shared-services-production")
		11 |   instance                      = merge(local.autoscale_instance, lookup(each.value, "instance", {}))
		12 |   ebs_volumes_copy_all_from_ami = try(each.value.ebs_volumes_copy_all_from_ami, true)
		13 |   ebs_kms_key_id                = module.environment.kms_keys["ebs"].arn
		14 |   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
		15 |   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
		16 |   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
		17 |   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
		18 |   autoscaling_group             = merge(local.ec2_test.autoscaling_group, lookup(each.value, "autoscaling_group", {}))
		19 |   autoscaling_schedules         = lookup(each.value, "autoscaling_schedules", local.autoscaling_schedules_default)
		20 | 
		21 |   iam_resource_names_prefix = "ec2-test-asg"
		22 |   instance_profile_policies = local.ec2_autoscale_common_managed_policies
		23 |   application_name          = local.application_name
		24 |   region                    = local.region
		25 |   subnet_ids                = module.environment.subnets["private"].ids
		26 |   tags                      = merge(local.ec2_test.tags, try(each.value.tags, {}))
		27 |   account_ids_lookup        = local.environment_management.account_ids
		28 |   cloudwatch_metric_alarms  = {}
		29 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_autoscale_policy
	File: /ec2_autoscaling_group.tf:61-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		61 | data "aws_iam_policy_document" "ec2_autoscale_policy" {
		62 |   statement {
		63 |     sid    = "CustomEc2Policy"
		64 |     effect = "Allow"
		65 |     actions = [
		66 |       "ec2:*"
		67 |     ]
		68 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		69 |   }
		70 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_complete_policy
	File: /ec2_complete.tf:153-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		153 | data "aws_iam_policy_document" "ec2_complete_policy" {
		154 |   statement {
		155 |     sid    = "AllowSSMAccess"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ssm:StartSession",
		159 |       "ssm:ResumeSession",
		160 |       "ssm:TerminateSession",
		161 |       "ssmmessages:CreateControlChannel",
		162 |       "ssmmessages:CreateDataChannel",
		163 |       "ssmmessages:OpenControlChannel",
		164 |       "ssmmessages:OpenDataChannel",
		165 |       "ec2messages:AcknowledgeMessage",
		166 |       "ec2:DescribeInstances"
		167 |     ]
		168 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		169 |   }
		170 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs-cluster
	File: /ecs.tf:6-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "ecs-cluster" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.0.3"
		8  | 
		9  |   ec2_capacity_instance_type     = local.application_data.accounts[local.environment].container_instance_type
		10 |   ec2_capacity_max_size          = local.application_data.accounts[local.environment].ec2_max_size
		11 |   ec2_capacity_min_size          = local.application_data.accounts[local.environment].ec2_min_size
		12 |   ec2_capacity_security_group_id = aws_security_group.cluster_ec2.id
		13 |   ec2_subnet_ids = [
		14 |     data.aws_subnet.private_subnets_a.id,
		15 |     data.aws_subnet.private_subnets_b.id,
		16 |     data.aws_subnet.private_subnets_c.id
		17 |   ]
		18 |   environment = local.environment
		19 |   name        = local.ecs_application_name
		20 |   namespace   = "platforms"
		21 | 
		22 |   tags = local.tags
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: service
	File: /ecs.tf:25-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		25 | module "service" {
		26 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		27 | 
		28 |   container_definition_json = templatefile("${path.module}/templates/task_definition.json.tftpl", {})
		29 |   ecs_cluster_arn           = module.ecs-cluster.ecs_cluster_arn
		30 |   name                      = "${local.ecs_application_name}-task_definition_volume"
		31 |   namespace                 = "platforms"
		32 |   vpc_id                    = local.vpc_all
		33 | 
		34 |   launch_type  = local.application_data.accounts[local.environment].launch_type
		35 |   network_mode = local.application_data.accounts[local.environment].network_mode
		36 | 
		37 |   task_cpu    = local.application_data.accounts[local.environment].container_cpu
		38 |   task_memory = local.application_data.accounts[local.environment].container_memory
		39 | 
		40 |   task_exec_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.ecs_application_name}-ecs-task-execution-role"
		41 | 
		42 |   environment = local.environment
		43 |   ecs_load_balancers = [
		44 |     {
		45 |       target_group_arn = aws_lb_target_group.ecs_target_group.arn
		46 |       container_name   = local.ecs_application_name
		47 |       container_port   = 80
		48 |     }
		49 |   ]
		50 | 
		51 |   subnet_ids = [
		52 |     data.aws_subnet.private_subnets_a.id,
		53 |     data.aws_subnet.private_subnets_b.id,
		54 |     data.aws_subnet.private_subnets_c.id
		55 |   ]
		56 | 
		57 |   ignore_changes_task_definition = false
		58 | 
		59 |   tags = local.tags
		60 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_lb_access_logs_enabled
	File: /ecs.tf:128-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		128 | module "ecs_lb_access_logs_enabled" {
		129 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		130 |   providers = {
		131 |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		132 |     # Need to pass the provider to the S3 bucket module
		133 |     aws.bucket-replication = aws
		134 |   }
		135 |   vpc_all = "${local.vpc_name}-${local.environment}"
		136 |   #existing_bucket_name               = "my-bucket-name"
		137 |   force_destroy_bucket       = true # enables destruction of logging bucket
		138 |   application_name           = local.ecs_application_name
		139 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		140 |   loadbalancer_ingress_rules = local.ecs_loadbalancer_ingress_rules
		141 |   loadbalancer_egress_rules  = local.ecs_loadbalancer_egress_rules
		142 |   tags                       = local.tags
		143 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		144 |   region                     = "eu-west-2"
		145 |   enable_deletion_protection = false
		146 |   idle_timeout               = 60
		147 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-lb
	File: /loadbalancer.tf:182-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.lb_example_instance
	File: /loadbalancer.tf:325-341
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		325 | resource "aws_instance" "lb_example_instance" {
		326 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		327 |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		328 |   instance_type          = local.application_data.accounts[local.environment].instance_type
		329 |   ami                    = local.application_data.accounts[local.environment].ami_image_id
		330 |   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
		331 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		332 |   monitoring             = true
		333 |   ebs_optimized          = true
		334 | 
		335 |   metadata_options {
		336 |     http_endpoint = "enabled"
		337 |     http_tokens   = "required"
		338 |   }
		339 |   tags       = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) }
		340 |   depends_on = [aws_security_group.example_load_balancer_sg]
		341 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lb_access_logs_enabled
	File: /loadbalancer_module.tf:2-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "lb_access_logs_enabled" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0"
		4  |   providers = {
		5  |     # Here we use the default provider for the S3 bucket module, buck replication is disabled but we still
		6  |     # Need to pass the provider to the S3 bucket module
		7  |     aws.bucket-replication = aws
		8  |   }
		9  |   vpc_all = "${local.vpc_name}-${local.environment}"
		10 |   #existing_bucket_name               = "my-bucket-name"
		11 |   force_destroy_bucket       = true # enables destruction of logging bucket
		12 |   application_name           = local.application_name
		13 |   public_subnets             = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
		14 |   loadbalancer_ingress_rules = local.loadbalancer_ingress_rules
		15 |   loadbalancer_egress_rules  = local.loadbalancer_egress_rules
		16 |   account_number             = local.environment_management.account_ids[terraform.workspace]
		17 |   region                     = "eu-west-2"
		18 |   enable_deletion_protection = false
		19 |   idle_timeout               = 60
		20 |   tags                       = {}
		21 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /s3.tf:8-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.Example-RDS
	File: /rds.tf:11-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		11 | resource "aws_db_instance" "Example-RDS" { #tfsec:ignore:aws-rds-enable-deletion-protection
		12 |   engine                     = "mysql"
		13 |   engine_version             = "5.7"
		14 |   auto_minor_version_upgrade = true
		15 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		16 |   db_name                    = "${local.application_name}${local.environment}database"
		17 |   identifier                 = "${local.application_name}-${local.environment}-database"
		18 |   username                   = local.application_data.accounts[local.environment].db_user
		19 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		20 |   # tflint-ignore: aws_db_instance_default_parameter_group
		21 |   parameter_group_name        = "default.mysql5.7"
		22 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		23 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		24 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		25 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		26 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		27 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		28 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		29 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		30 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		31 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional" #tfsec:ignore:aws-rds-enable-database-authentication
		32 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		33 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		34 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		35 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		36 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		37 |   storage_encrypted               = true
		38 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		39 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		40 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		41 |   tags = merge(local.tags,
		42 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		43 |   )
		44 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.example_ec2_autoscale_sg
	File: /ec2_autoscaling_group.tf:73-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		73 | resource "aws_security_group" "example_ec2_autoscale_sg" {
		74 |   name        = "example_ec2_autoscale_sg"
		75 |   description = "Controls access to EC2"
		76 |   vpc_id      = data.aws_vpc.shared.id
		77 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		78 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.complete_example_ec2_sg
	File: /ec2_complete.tf:207-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		207 | resource "aws_security_group" "complete_example_ec2_sg" {
		208 |   name        = "complete_ec2_sg"
		209 |   description = "Ingress and Egress Access Controls for EC2"
		210 |   vpc_id      = data.aws_vpc.shared.id
		211 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		212 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:190-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		190 | resource "aws_security_group" "cluster_ec2" {
		191 |   #checkov:skip=CKV_AWS_23
		192 |   name        = "cluster_ec2"
		193 |   description = "controls access to the cluster ec2 instance"
		194 |   vpc_id      = data.aws_vpc.shared.id
		195 |   dynamic "ingress" {
		196 |     for_each = local.ec2_ingress_rules
		197 |     content {
		198 |       description     = lookup(ingress.value, "description", null)
		199 |       from_port       = lookup(ingress.value, "from_port", null)
		200 |       to_port         = lookup(ingress.value, "to_port", null)
		201 |       protocol        = lookup(ingress.value, "protocol", null)
		202 |       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
		203 |       security_groups = lookup(ingress.value, "security_groups", null)
		204 |     }
		205 |   }
		206 |   dynamic "egress" {
		207 |     for_each = local.ec2_egress_rules
		208 |     content {
		209 |       description     = lookup(egress.value, "description", null)
		210 |       from_port       = lookup(egress.value, "from_port", null)
		211 |       to_port         = lookup(egress.value, "to_port", null)
		212 |       protocol        = lookup(egress.value, "protocol", null)
		213 |       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
		214 |       security_groups = lookup(egress.value, "security_groups", null)
		215 |     }
		216 |   }
		217 |   tags = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		218 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /rds.tf:76-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "db_password" {
		77 |   #checkov:skip=CKV_AWS_149
		78 |   name                    = "${var.networking[0].application}-db-password"
		79 |   recovery_window_in_days = 0
		80 |   tags = merge(
		81 |     local.tags,
		82 |     {
		83 |       Name = "${var.networking[0].application}-db-password"
		84 |     },
		85 |   )
		86 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.certificate_example_lb
	File: /certificates.tf:63-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		63 | resource "aws_lb" "certificate_example_lb" {
		64 |   name               = "certificate-example-loadbalancer"
		65 |   load_balancer_type = "application"
		66 |   subnets            = data.aws_subnets.shared-public.ids
		67 |   #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
		68 |   enable_deletion_protection = false
		69 |   # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
		70 |   idle_timeout               = 240
		71 |   drop_invalid_header_fields = true
		72 | 
		73 |   security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
		74 | 
		75 |   access_logs {
		76 |     bucket  = module.s3-bucket-lb.bucket.id
		77 |     prefix  = "test-lb"
		78 |     enabled = true
		79 |   }
		80 | 
		81 |   tags       = { Name = "${local.application_name}-external-loadbalancer" }
		82 |   depends_on = [aws_security_group.certificate_example_load_balancer_sg]
		83 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/example

*****************************

Running tflint in terraform/environments/example
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/example/rds.tf line 93:
  93: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/example

*****************************

Running Trivy in terraform/environments/example
2024-05-15T10:25:14Z	INFO	Need to update DB
2024-05-15T10:25:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T10:25:16Z	INFO	Vulnerability scanning is enabled
2024-05-15T10:25:16Z	INFO	Misconfiguration scanning is enabled
2024-05-15T10:25:16Z	INFO	Need to update the built-in policies
2024-05-15T10:25:16Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T10:25:17Z	INFO	Secret scanning is enabled
2024-05-15T10:25:17Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T10:25:17Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T10:25:24Z	INFO	Number of language-specific files	num=0
2024-05-15T10:25:24Z	INFO	Detected config files	num=17

ec2.tf (terraform)
==================
Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_autoscaling_group.tf (terraform)
====================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_complete.tf (terraform)
===========================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2_complete.tf:233
   via ec2_complete.tf:225-234 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
 225   resource "aws_security_group_rule" "complete_egress_traffic" {
 226     for_each          = local.complete_ec2_sg_egress_rules
 227     description       = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
 228     from_port         = each.value.from_port
 229     protocol          = each.value.protocol
 230     security_group_id = aws_security_group.example_ec2_sg.id
 231     to_port           = each.value.to_port
 232     type              = "egress"
 233 [   cidr_blocks       = [each.value.cidr_block]
 234   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:213
   via ecs.tf:208-215 (content)
    via ecs.tf:206-216 (dynamic.egress["cluster_ec2_lb_egress"])
     via ecs.tf:190-218 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 190   resource "aws_security_group" "cluster_ec2" {
 ...   
 213 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 218   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf (terraform)
==================================================================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:44
   via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:40-45 (metadata_options)
    via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.5.1/main.tf:1-99 (aws_launch_template.this)
     via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
   1   resource "aws_launch_template" "this" {
   .   
  44 [     http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
  ..   
  99   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
==============================================================================================================================================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:9-64 (module.s3-bucket[0])
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf (terraform)
=========================================================================================================
Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:144-175 (aws_lb.loadbalancer)
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via ecs.tf:128-147 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=v4.0.0/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via loadbalancer.tf:182-245 (module.s3-bucket-lb)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 loadbalancer.tf:325-341
────────────────────────────────────────
 325 ┌ resource "aws_instance" "lb_example_instance" {
 326 │   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
 327 │   # Specify the instance type and ami to be used (this is the Amazon free tier option)
 328 │   instance_type          = local.application_data.accounts[local.environment].instance_type
 329 │   ami                    = local.application_data.accounts[local.environment].ami_image_id
 330 │   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
 331 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 332 │   monitoring             = true
 333 └   ebs_optimized          = true
 ...   
────────────────────────────────────────


trivy_exitcode=1

[dependabot]

Looks like service::github::ministryofjustice/modernisation-platform-terraform-ecs-cluster::v3.0.0 is no longer a dependency, so this is no longer needed.