Get example successfully completing terraform runs

[dms1981]

I think there's some value in revisiting / rewriting the code we have in example as it's gotten a bit disorganised, and doesn't represent consistent practice that we'd always want customers to crib from.

However, this PR add some randomisation to names where there were previous clashes, updates to the most recent version of the ECS module, gets the RDS instance created, switches out the remote refs for modules to commit values, and puts in place some checkov skips where appropriate.

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/example

---

Running Trivy in terraform/environments/example
2024-05-16T09:21:34Z INFO Need to update DB
2024-05-16T09:21:34Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T09:21:36Z INFO Vulnerability scanning is enabled
2024-05-16T09:21:36Z INFO Misconfiguration scanning is enabled
2024-05-16T09:21:36Z INFO Need to update the built-in policies
2024-05-16T09:21:36Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-16T09:21:36Z INFO Secret scanning is enabled
2024-05-16T09:21:36Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T09:21:36Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T09:21:41Z INFO Number of language-specific files num=0
2024-05-16T09:21:41Z INFO Detected config files num=16

ec2.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_autoscaling_group.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ec2_complete.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2_complete.tf:235
via ec2_complete.tf:227-236 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
227 resource "aws_security_group_rule" "complete_egress_traffic" {
228 for_each = local.complete_ec2_sg_egress_rules
229 description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
230 from_port = each.value.from_port
231 protocol = each.value.protocol
232 security_group_id = aws_security_group.example_ec2_sg.id
233 to_port = each.value.to_port
234 type = "egress"
235 [ cidr_blocks = [each.value.cidr_block]
236 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:209
via ecs.tf:204-211 (content)
via ecs.tf:202-212 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:186-214 (aws_security_group.cluster_ec2)
────────────────────────────────────────
186 resource "aws_security_group" "cluster_ec2" {
...
209 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
214 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template" "this" {
.
44 [ http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via loadbalancer.tf:185-248 (module.s3-bucket-lb)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:328-345
────────────────────────────────────────
328 ┌ resource "aws_instance" "lb_example_instance" {
329 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
330 │ #checkov:skip=CKV_AWS_8: "Encryption not required for example instance"
331 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)
332 │ instance_type = local.application_data.accounts[local.environment].instance_type
333 │ ami = local.application_data.accounts[local.environment].ami_image_id
334 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
335 │ subnet_id = data.aws_subnet.private_subnets_a.id
336 └ monitoring = true
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/example

*****************************

Running Checkov in terraform/environments/example
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-16 09:21:44,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=b00647922a9204a99b023ac884440162e2b51b66:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=b00647922a9204a99b023ac884440162e2b51b66:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=edc55b4005b7039e5b54ad7805e89a473fe3c3dd:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,167 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,167 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661:None (for external modules, the --download-external-modules flag is required)
2024-05-16 09:21:44,167 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 272, Failed checks: 6, Skipped checks: 34

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.example-rds
	File: /rds.tf:11-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		11 | resource "aws_db_instance" "example-rds" {
		12 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		13 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		14 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		15 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		16 |   #checkov:skip=CKV_AWS_293: "Deletion protection not required for example"
		17 |   #checkov:skip=CKV_AWS_354: "Performance insights don't need encryption for example"
		18 |   engine                     = "mysql"
		19 |   engine_version             = "5.7"
		20 |   auto_minor_version_upgrade = true
		21 |   instance_class             = local.application_data.accounts[local.environment].db_instance_class
		22 |   db_name                    = "${local.application_name}${local.environment}database"
		23 |   identifier                 = "${local.application_name}-${local.environment}-database"
		24 |   username                   = local.application_data.accounts[local.environment].db_user
		25 |   password                   = aws_secretsmanager_secret_version.db_password.secret_string
		26 |   # tflint-ignore: aws_db_instance_default_parameter_group
		27 |   parameter_group_name        = "default.mysql5.7"
		28 |   skip_final_snapshot         = local.application_data.accounts[local.environment].skip_final_snapshot
		29 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		30 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		31 |   maintenance_window          = local.application_data.accounts[local.environment].maintenance_window
		32 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].allow_major_version_upgrade
		33 |   backup_window               = local.application_data.accounts[local.environment].backup_window
		34 |   backup_retention_period     = local.application_data.accounts[local.environment].retention_period
		35 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		36 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		37 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		38 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		39 |   storage_encrypted               = true
		40 |   db_subnet_group_name = aws_db_subnet_group.example.name
		41 |   vpc_security_group_ids = [aws_security_group.rds-example.id]
		42 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		43 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		44 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		45 |   tags = merge(local.tags,
		46 |     { Name = lower(format("%s-%s-example", local.application_name, local.environment)) }
		47 |   )
		48 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /rds.tf:92-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		92  | resource "aws_secretsmanager_secret" "db_password" {
		93  |   #checkov:skip=CKV_AWS_149
		94  |   name                    = "${var.networking[0].application}-db-password"
		95  |   recovery_window_in_days = 0
		96  |   tags = merge(
		97  |     local.tags,
		98  |     {
		99  |       Name = "${var.networking[0].application}-db-password"
		100 |     },
		101 |   )
		102 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.certificate_example_lb
	File: /certificates.tf:63-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		63 | resource "aws_lb" "certificate_example_lb" {
		64 |   name               = "certificate-example-loadbalancer"
		65 |   load_balancer_type = "application"
		66 |   subnets            = data.aws_subnets.shared-public.ids
		67 |   #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection
		68 |   enable_deletion_protection = false
		69 |   # allow 60*4 seconds before 504 gateway timeout for long-running DB operations
		70 |   idle_timeout               = 240
		71 |   drop_invalid_header_fields = true
		72 | 
		73 |   security_groups = [aws_security_group.certificate_example_load_balancer_sg.id]
		74 | 
		75 |   access_logs {
		76 |     bucket  = module.s3-bucket-lb.bucket.id
		77 |     prefix  = "test-lb"
		78 |     enabled = true
		79 |   }
		80 | 
		81 |   tags       = { Name = "${local.application_name}-external-loadbalancer" }
		82 |   depends_on = [aws_security_group.certificate_example_load_balancer_sg]
		83 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.example_ec2_autoscale_sg
	File: /ec2_autoscaling_group.tf:77-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		77 | resource "aws_security_group" "example_ec2_autoscale_sg" {
		78 |   name        = "example_ec2_autoscale_sg"
		79 |   description = "Controls access to EC2"
		80 |   vpc_id      = data.aws_vpc.shared.id
		81 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		82 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.complete_example_ec2_sg
	File: /ec2_complete.tf:209-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		209 | resource "aws_security_group" "complete_example_ec2_sg" {
		210 |   name        = "complete_ec2_sg"
		211 |   description = "Ingress and Egress Access Controls for EC2"
		212 |   vpc_id      = data.aws_vpc.shared.id
		213 |   tags        = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		214 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:186-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		186 | resource "aws_security_group" "cluster_ec2" {
		187 |   #checkov:skip=CKV_AWS_23
		188 |   name        = "cluster_ec2"
		189 |   description = "controls access to the cluster ec2 instance"
		190 |   vpc_id      = data.aws_vpc.shared.id
		191 |   dynamic "ingress" {
		192 |     for_each = local.ec2_ingress_rules
		193 |     content {
		194 |       description     = lookup(ingress.value, "description", null)
		195 |       from_port       = lookup(ingress.value, "from_port", null)
		196 |       to_port         = lookup(ingress.value, "to_port", null)
		197 |       protocol        = lookup(ingress.value, "protocol", null)
		198 |       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
		199 |       security_groups = lookup(ingress.value, "security_groups", null)
		200 |     }
		201 |   }
		202 |   dynamic "egress" {
		203 |     for_each = local.ec2_egress_rules
		204 |     content {
		205 |       description     = lookup(egress.value, "description", null)
		206 |       from_port       = lookup(egress.value, "from_port", null)
		207 |       to_port         = lookup(egress.value, "to_port", null)
		208 |       protocol        = lookup(egress.value, "protocol", null)
		209 |       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
		210 |       security_groups = lookup(egress.value, "security_groups", null)
		211 |     }
		212 |   }
		213 |   tags = { Name = lower(format("sg-%s-%s-example", local.application_name, local.environment)) }
		214 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/example

*****************************

Running tflint in terraform/environments/example
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/example

*****************************

Running Trivy in terraform/environments/example
2024-05-16T09:21:34Z	INFO	Need to update DB
2024-05-16T09:21:34Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T09:21:36Z	INFO	Vulnerability scanning is enabled
2024-05-16T09:21:36Z	INFO	Misconfiguration scanning is enabled
2024-05-16T09:21:36Z	INFO	Need to update the built-in policies
2024-05-16T09:21:36Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-16T09:21:36Z	INFO	Secret scanning is enabled
2024-05-16T09:21:36Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T09:21:36Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T09:21:41Z	INFO	Number of language-specific files	num=0
2024-05-16T09:21:41Z	INFO	Detected config files	num=16

ec2.tf (terraform)
==================
Tests: 8 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_autoscaling_group.tf (terraform)
====================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ec2_complete.tf (terraform)
===========================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2_complete.tf:235
   via ec2_complete.tf:227-236 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
 227   resource "aws_security_group_rule" "complete_egress_traffic" {
 228     for_each          = local.complete_ec2_sg_egress_rules
 229     description       = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
 230     from_port         = each.value.from_port
 231     protocol          = each.value.protocol
 232     security_group_id = aws_security_group.example_ec2_sg.id
 233     to_port           = each.value.to_port
 234     type              = "egress"
 235 [   cidr_blocks       = [each.value.cidr_block]
 236   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:209
   via ecs.tf:204-211 (content)
    via ecs.tf:202-212 (dynamic.egress["cluster_ec2_lb_egress"])
     via ecs.tf:186-214 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 186   resource "aws_security_group" "cluster_ec2" {
 ...   
 209 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 214   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11/main.tf (terraform)
============================================================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf (terraform)
====================================================================================================================================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:44
   via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:40-45 (metadata_options)
    via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:1-99 (aws_launch_template.this)
     via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
   1   resource "aws_launch_template" "this" {
   .   
  44 [     http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
  ..   
  99   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
================================================================================================================================================================================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
    via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 16 (SUCCESSES: 10, FAILURES: 4, EXCEPTIONS: 2)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
    via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
    via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 144   resource "aws_lb" "loadbalancer" {
 ...   
 148 [   internal                         = var.internal_lb
 ...   
 175   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
========================================================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via loadbalancer.tf:185-248 (module.s3-bucket-lb)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 7 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 loadbalancer.tf:328-345
────────────────────────────────────────
 328 ┌ resource "aws_instance" "lb_example_instance" {
 329 │   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
 330 │   #checkov:skip=CKV_AWS_8: "Encryption not required for example instance"
 331 │   # Specify the instance type and ami to be used (this is the Amazon free tier option)
 332 │   instance_type          = local.application_data.accounts[local.environment].instance_type
 333 │   ami                    = local.application_data.accounts[local.environment].ami_image_id
 334 │   vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
 335 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 336 └   monitoring             = true
 ...   
────────────────────────────────────────


trivy_exitcode=1