Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add cloudwatch metric alarm notification on load balancer #6859

Merged
merged 24 commits into from
Jul 10, 2024
Merged

add cloudwatch metric alarm notification on load balancer #6859

merged 24 commits into from
Jul 10, 2024

Conversation

roncitrus
Copy link
Contributor

No description provided.

@roncitrus roncitrus requested review from a team as code owners July 4, 2024 11:34
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:36:38Z INFO Need to update DB
2024-07-04T11:36:38Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:36:40Z INFO Vulnerability scanning is enabled
2024-07-04T11:36:40Z INFO Misconfiguration scanning is enabled
2024-07-04T11:36:40Z INFO Need to update the built-in policies
2024-07-04T11:36:40Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:36:40Z INFO Secret scanning is enabled
2024-07-04T11:36:40Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:36:40Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:36:42Z INFO Number of language-specific files num=0
2024-07-04T11:36:42Z INFO Detected config files num=9

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 11:36:44,789 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 11:36:44,789 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 99, Failed checks: 37, Skipped checks: 1, Parsing errors: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
Failed to load configurations; terraform/environments/cdpt-ifs/monitoring.tf:11,56-57: Unclosed configuration block; There is no closing brace for this block before the end of the file. This may be caused by incorrect brace nesting elsewhere in this file.:

�[31mError�[0m: Unclosed configuration block

  on terraform/environments/cdpt-ifs/monitoring.tf line 11, in resource "aws_cloudwatch_metric_alarm" "lb_5xx_errors":
  11: resource "aws_cloudwatch_metric_alarm" "lb_5xx_errors" �[1;4m{�[0m

There is no closing brace for this block before the end of the file. This may be caused by incorrect brace nesting elsewhere in this file.

tflint_exitcode=1

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:36:38Z	INFO	Need to update DB
2024-07-04T11:36:38Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:36:40Z	INFO	Vulnerability scanning is enabled
2024-07-04T11:36:40Z	INFO	Misconfiguration scanning is enabled
2024-07-04T11:36:40Z	INFO	Need to update the built-in policies
2024-07-04T11:36:40Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:36:40Z	INFO	Secret scanning is enabled
2024-07-04T11:36:40Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:36:40Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:36:42Z	INFO	Number of language-specific files	num=0
2024-07-04T11:36:42Z	INFO	Detected config files	num=9

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:38:05Z INFO Need to update DB
2024-07-04T11:38:05Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:38:07Z INFO Vulnerability scanning is enabled
2024-07-04T11:38:07Z INFO Misconfiguration scanning is enabled
2024-07-04T11:38:07Z INFO Need to update the built-in policies
2024-07-04T11:38:07Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:38:07Z INFO Secret scanning is enabled
2024-07-04T11:38:07Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:38:07Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:38:09Z INFO Number of language-specific files num=0
2024-07-04T11:38:09Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 11:38:11,709 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 11:38:11,709 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:38:05Z	INFO	Need to update DB
2024-07-04T11:38:05Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:38:07Z	INFO	Vulnerability scanning is enabled
2024-07-04T11:38:07Z	INFO	Misconfiguration scanning is enabled
2024-07-04T11:38:07Z	INFO	Need to update the built-in policies
2024-07-04T11:38:07Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:38:07Z	INFO	Secret scanning is enabled
2024-07-04T11:38:07Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:38:07Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:38:09Z	INFO	Number of language-specific files	num=0
2024-07-04T11:38:09Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 4, 2024 11:44 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:45:16Z INFO Need to update DB
2024-07-04T11:45:16Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:45:18Z INFO Vulnerability scanning is enabled
2024-07-04T11:45:18Z INFO Misconfiguration scanning is enabled
2024-07-04T11:45:18Z INFO Need to update the built-in policies
2024-07-04T11:45:18Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:45:18Z INFO Secret scanning is enabled
2024-07-04T11:45:18Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:45:18Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:45:22Z INFO Number of language-specific files num=0
2024-07-04T11:45:22Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 11:45:24,876 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 11:45:24,876 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T11:45:16Z	INFO	Need to update DB
2024-07-04T11:45:16Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T11:45:18Z	INFO	Vulnerability scanning is enabled
2024-07-04T11:45:18Z	INFO	Misconfiguration scanning is enabled
2024-07-04T11:45:18Z	INFO	Need to update the built-in policies
2024-07-04T11:45:18Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T11:45:18Z	INFO	Secret scanning is enabled
2024-07-04T11:45:18Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T11:45:18Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T11:45:22Z	INFO	Number of language-specific files	num=0
2024-07-04T11:45:22Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 4, 2024 13:06 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T13:06:49Z INFO Need to update DB
2024-07-04T13:06:49Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T13:06:51Z INFO Vulnerability scanning is enabled
2024-07-04T13:06:51Z INFO Misconfiguration scanning is enabled
2024-07-04T13:06:51Z INFO Need to update the built-in policies
2024-07-04T13:06:51Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T13:06:51Z INFO Secret scanning is enabled
2024-07-04T13:06:51Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T13:06:51Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T13:06:53Z INFO Number of language-specific files num=0
2024-07-04T13:06:53Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 13:06:55,345 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 13:06:55,345 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T13:06:49Z	INFO	Need to update DB
2024-07-04T13:06:49Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T13:06:51Z	INFO	Vulnerability scanning is enabled
2024-07-04T13:06:51Z	INFO	Misconfiguration scanning is enabled
2024-07-04T13:06:51Z	INFO	Need to update the built-in policies
2024-07-04T13:06:51Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T13:06:51Z	INFO	Secret scanning is enabled
2024-07-04T13:06:51Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T13:06:51Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T13:06:53Z	INFO	Number of language-specific files	num=0
2024-07-04T13:06:53Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 4, 2024 13:18 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T13:19:04Z INFO Need to update DB
2024-07-04T13:19:04Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T13:19:06Z INFO Vulnerability scanning is enabled
2024-07-04T13:19:06Z INFO Misconfiguration scanning is enabled
2024-07-04T13:19:06Z INFO Need to update the built-in policies
2024-07-04T13:19:06Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T13:19:07Z INFO Secret scanning is enabled
2024-07-04T13:19:07Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T13:19:07Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T13:19:10Z INFO Number of language-specific files num=0
2024-07-04T13:19:10Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 13:19:13,233 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 13:19:13,234 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T13:19:04Z	INFO	Need to update DB
2024-07-04T13:19:04Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T13:19:06Z	INFO	Vulnerability scanning is enabled
2024-07-04T13:19:06Z	INFO	Misconfiguration scanning is enabled
2024-07-04T13:19:06Z	INFO	Need to update the built-in policies
2024-07-04T13:19:06Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T13:19:07Z	INFO	Secret scanning is enabled
2024-07-04T13:19:07Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T13:19:07Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T13:19:10Z	INFO	Number of language-specific files	num=0
2024-07-04T13:19:10Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 4, 2024 14:47 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T14:47:50Z INFO Need to update DB
2024-07-04T14:47:50Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T14:47:51Z INFO Vulnerability scanning is enabled
2024-07-04T14:47:51Z INFO Misconfiguration scanning is enabled
2024-07-04T14:47:51Z INFO Need to update the built-in policies
2024-07-04T14:47:51Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T14:47:52Z INFO Secret scanning is enabled
2024-07-04T14:47:52Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T14:47:52Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T14:47:54Z INFO Number of language-specific files num=0
2024-07-04T14:47:54Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-04 14:47:57,122 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-04 14:47:57,122 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-04T14:47:50Z	INFO	Need to update DB
2024-07-04T14:47:50Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-04T14:47:51Z	INFO	Vulnerability scanning is enabled
2024-07-04T14:47:51Z	INFO	Misconfiguration scanning is enabled
2024-07-04T14:47:51Z	INFO	Need to update the built-in policies
2024-07-04T14:47:51Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-04T14:47:52Z	INFO	Secret scanning is enabled
2024-07-04T14:47:52Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-04T14:47:52Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-04T14:47:54Z	INFO	Number of language-specific files	num=0
2024-07-04T14:47:54Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T11:28:51Z INFO Need to update DB
2024-07-05T11:28:51Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T11:28:53Z INFO Vulnerability scanning is enabled
2024-07-05T11:28:53Z INFO Misconfiguration scanning is enabled
2024-07-05T11:28:53Z INFO Need to update the built-in policies
2024-07-05T11:28:53Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T11:28:54Z INFO Secret scanning is enabled
2024-07-05T11:28:54Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T11:28:54Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T11:28:56Z INFO Number of language-specific files num=0
2024-07-05T11:28:56Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-05 11:28:58,983 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-05 11:28:58,983 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-05 11:28:59,183 [MainThread  ] [WARNI]  Module /github/workspace/terraform/environments/cdpt-ifs/modules/secrets_manager:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'>
2024-07-05 11:28:59,183 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/environments/cdpt-ifs/modules/secrets_manager, version: latest, error: /github/workspace/terraform/environments/cdpt-ifs/modules/secrets_manager
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T11:28:51Z	INFO	Need to update DB
2024-07-05T11:28:51Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T11:28:53Z	INFO	Vulnerability scanning is enabled
2024-07-05T11:28:53Z	INFO	Misconfiguration scanning is enabled
2024-07-05T11:28:53Z	INFO	Need to update the built-in policies
2024-07-05T11:28:53Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T11:28:54Z	INFO	Secret scanning is enabled
2024-07-05T11:28:54Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T11:28:54Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T11:28:56Z	INFO	Number of language-specific files	num=0
2024-07-05T11:28:56Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T12:26:58Z INFO Need to update DB
2024-07-05T12:26:58Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T12:26:59Z INFO Vulnerability scanning is enabled
2024-07-05T12:26:59Z INFO Misconfiguration scanning is enabled
2024-07-05T12:26:59Z INFO Need to update the built-in policies
2024-07-05T12:26:59Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T12:27:00Z INFO Secret scanning is enabled
2024-07-05T12:27:00Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T12:27:00Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T12:27:01Z INFO Number of language-specific files num=0
2024-07-05T12:27:01Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-05 12:27:04,311 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-05 12:27:04,311 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-05 12:27:04,522 [MainThread  ] [WARNI]  Module /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secrets_manager:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'>
2024-07-05 12:27:04,522 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secrets_manager, version: latest, error: /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secrets_manager
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T12:26:58Z	INFO	Need to update DB
2024-07-05T12:26:58Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T12:26:59Z	INFO	Vulnerability scanning is enabled
2024-07-05T12:26:59Z	INFO	Misconfiguration scanning is enabled
2024-07-05T12:26:59Z	INFO	Need to update the built-in policies
2024-07-05T12:26:59Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T12:27:00Z	INFO	Secret scanning is enabled
2024-07-05T12:27:00Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T12:27:00Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T12:27:01Z	INFO	Number of language-specific files	num=0
2024-07-05T12:27:01Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T12:31:31Z INFO Need to update DB
2024-07-05T12:31:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T12:31:33Z INFO Vulnerability scanning is enabled
2024-07-05T12:31:33Z INFO Misconfiguration scanning is enabled
2024-07-05T12:31:33Z INFO Need to update the built-in policies
2024-07-05T12:31:33Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T12:31:33Z INFO Secret scanning is enabled
2024-07-05T12:31:33Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T12:31:33Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T12:31:37Z INFO Number of language-specific files num=0
2024-07-05T12:31:37Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "lb_alarm_topic" {
2 │ name = "lb_alarm_topic"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-05 12:31:39,983 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-05 12:31:39,983 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-05 12:31:40,179 [MainThread  ] [WARNI]  Module /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secretsmanager:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'>
2024-07-05 12:31:40,179 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secretsmanager, version: latest, error: /github/workspace/terraform/environments/cdpt-ifs/modules/baseline/secretsmanager
terraform scan results:

Passed checks: 100, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_alarm_topic
	File: /monitoring.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "lb_alarm_topic" {
		2 |   name = "lb_alarm_topic"
		3 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T12:31:31Z	INFO	Need to update DB
2024-07-05T12:31:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T12:31:33Z	INFO	Vulnerability scanning is enabled
2024-07-05T12:31:33Z	INFO	Misconfiguration scanning is enabled
2024-07-05T12:31:33Z	INFO	Need to update the built-in policies
2024-07-05T12:31:33Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T12:31:33Z	INFO	Secret scanning is enabled
2024-07-05T12:31:33Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T12:31:33Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T12:31:37Z	INFO	Number of language-specific files	num=0
2024-07-05T12:31:37Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:1-3
────────────────────────────────────────
   1resource "aws_sns_topic" "lb_alarm_topic" {
   2 │   name = "lb_alarm_topic"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T13:59:18Z INFO Need to update DB
2024-07-05T13:59:18Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T13:59:20Z INFO Vulnerability scanning is enabled
2024-07-05T13:59:20Z INFO Misconfiguration scanning is enabled
2024-07-05T13:59:20Z INFO Need to update the built-in policies
2024-07-05T13:59:20Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T13:59:21Z INFO Secret scanning is enabled
2024-07-05T13:59:21Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T13:59:21Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T13:59:25Z INFO Number of language-specific files num=0
2024-07-05T13:59:25Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-05 13:59:28,140 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-05 13:59:28,140 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-05 13:59:28,140 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 102, Failed checks: 38, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:40-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		40 | module "pagerduty_core_alerts" {
		41 |   depends_on = [
		42 |     aws_sns_topic.lb-5xx-errors
		43 |   ]
		44 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		45 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		46 |   pagerduty_integration_key = local.pagerduty_integration_keys["cloudwatch_lb_alert"]
		47 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T13:59:18Z	INFO	Need to update DB
2024-07-05T13:59:18Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T13:59:20Z	INFO	Vulnerability scanning is enabled
2024-07-05T13:59:20Z	INFO	Misconfiguration scanning is enabled
2024-07-05T13:59:20Z	INFO	Need to update the built-in policies
2024-07-05T13:59:20Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T13:59:21Z	INFO	Secret scanning is enabled
2024-07-05T13:59:21Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T13:59:21Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T13:59:25Z	INFO	Number of language-specific files	num=0
2024-07-05T13:59:25Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 5, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T15:20:04Z INFO Need to update DB
2024-07-05T15:20:04Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T15:20:06Z INFO Vulnerability scanning is enabled
2024-07-05T15:20:06Z INFO Misconfiguration scanning is enabled
2024-07-05T15:20:06Z INFO Need to update the built-in policies
2024-07-05T15:20:06Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T15:20:07Z INFO Secret scanning is enabled
2024-07-05T15:20:07Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T15:20:07Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T15:20:09Z INFO Number of language-specific files num=0
2024-07-05T15:20:09Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:17-19
────────────────────────────────────────
17 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
18 │ name = "lb_5xx_alarm_topic"
19 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-05 15:20:11,723 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-05 15:20:11,723 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-05 15:20:11,723 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		18 |   name = "lb_5xx_alarm_topic"
		19 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:39-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		39 | module "pagerduty_core_alerts" {
		40 |   depends_on = [
		41 |     aws_sns_topic.lb-5xx-errors
		42 |   ]
		43 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		44 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		45 |   pagerduty_integration_key = local.pagerduty_integration_keys["cloudwatch_lb_alert"]
		46 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-05T15:20:04Z	INFO	Need to update DB
2024-07-05T15:20:04Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-05T15:20:06Z	INFO	Vulnerability scanning is enabled
2024-07-05T15:20:06Z	INFO	Misconfiguration scanning is enabled
2024-07-05T15:20:06Z	INFO	Need to update the built-in policies
2024-07-05T15:20:06Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-05T15:20:07Z	INFO	Secret scanning is enabled
2024-07-05T15:20:07Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-05T15:20:07Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-05T15:20:09Z	INFO	Number of language-specific files	num=0
2024-07-05T15:20:09Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:17-19
────────────────────────────────────────
  17resource "aws_sns_topic" "lb_5xx_alarm_topic" {
  18 │   name = "lb_5xx_alarm_topic"
  19 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 8, 2024 16:00 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 8, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-08T16:01:05Z INFO Need to update DB
2024-07-08T16:01:05Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T16:01:07Z INFO Vulnerability scanning is enabled
2024-07-08T16:01:07Z INFO Misconfiguration scanning is enabled
2024-07-08T16:01:07Z INFO Need to update the built-in policies
2024-07-08T16:01:07Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T16:01:07Z INFO Secret scanning is enabled
2024-07-08T16:01:07Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T16:01:07Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T16:01:12Z INFO Number of language-specific files num=0
2024-07-08T16:01:12Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:18-20
────────────────────────────────────────
18 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
19 │ name = "lb_5xx_alarm_topic"
20 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-08 16:01:15,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-08 16:01:15,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-08 16:01:15,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:18-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		18 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		19 |   name = "lb_5xx_alarm_topic"
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:40-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		40 | module "pagerduty_core_alerts" {
		41 |   depends_on = [
		42 |     aws_sns_topic.lb_5xx_alarm_topic
		43 |   ]
		44 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		45 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		46 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		47 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-08T16:01:05Z	INFO	Need to update DB
2024-07-08T16:01:05Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T16:01:07Z	INFO	Vulnerability scanning is enabled
2024-07-08T16:01:07Z	INFO	Misconfiguration scanning is enabled
2024-07-08T16:01:07Z	INFO	Need to update the built-in policies
2024-07-08T16:01:07Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T16:01:07Z	INFO	Secret scanning is enabled
2024-07-08T16:01:07Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T16:01:07Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T16:01:12Z	INFO	Number of language-specific files	num=0
2024-07-08T16:01:12Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:18-20
────────────────────────────────────────
  18resource "aws_sns_topic" "lb_5xx_alarm_topic" {
  19 │   name = "lb_5xx_alarm_topic"
  20 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 9, 2024 13:47 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T13:47:48Z INFO Need to update DB
2024-07-09T13:47:48Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T13:47:50Z INFO Vulnerability scanning is enabled
2024-07-09T13:47:50Z INFO Misconfiguration scanning is enabled
2024-07-09T13:47:50Z INFO Need to update the built-in policies
2024-07-09T13:47:50Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T13:47:51Z INFO Secret scanning is enabled
2024-07-09T13:47:51Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T13:47:51Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T13:47:53Z INFO Number of language-specific files num=0
2024-07-09T13:47:53Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-09 13:47:55,801 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-09 13:47:55,801 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-09 13:47:55,801 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T13:47:48Z	INFO	Need to update DB
2024-07-09T13:47:48Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T13:47:50Z	INFO	Vulnerability scanning is enabled
2024-07-09T13:47:50Z	INFO	Misconfiguration scanning is enabled
2024-07-09T13:47:50Z	INFO	Need to update the built-in policies
2024-07-09T13:47:50Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T13:47:51Z	INFO	Secret scanning is enabled
2024-07-09T13:47:51Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T13:47:51Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T13:47:53Z	INFO	Number of language-specific files	num=0
2024-07-09T13:47:53Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 9, 2024 13:53 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T13:53:50Z INFO Need to update DB
2024-07-09T13:53:50Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T13:53:52Z INFO Vulnerability scanning is enabled
2024-07-09T13:53:52Z INFO Misconfiguration scanning is enabled
2024-07-09T13:53:52Z INFO Need to update the built-in policies
2024-07-09T13:53:52Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T13:53:52Z INFO Secret scanning is enabled
2024-07-09T13:53:52Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T13:53:52Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T13:53:55Z INFO Number of language-specific files num=0
2024-07-09T13:53:55Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-09 13:53:57,551 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-09 13:53:57,551 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-09 13:53:57,551 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T13:53:50Z	INFO	Need to update DB
2024-07-09T13:53:50Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T13:53:52Z	INFO	Vulnerability scanning is enabled
2024-07-09T13:53:52Z	INFO	Misconfiguration scanning is enabled
2024-07-09T13:53:52Z	INFO	Need to update the built-in policies
2024-07-09T13:53:52Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T13:53:52Z	INFO	Secret scanning is enabled
2024-07-09T13:53:52Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T13:53:52Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T13:53:55Z	INFO	Number of language-specific files	num=0
2024-07-09T13:53:55Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 9, 2024 14:20 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs terraform/environments/observability-platform

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T14:21:08Z INFO Need to update DB
2024-07-09T14:21:08Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T14:21:10Z INFO Vulnerability scanning is enabled
2024-07-09T14:21:10Z INFO Misconfiguration scanning is enabled
2024-07-09T14:21:10Z INFO Need to update the built-in policies
2024-07-09T14:21:10Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T14:21:11Z INFO Secret scanning is enabled
2024-07-09T14:21:11Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T14:21:11Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T14:21:13Z INFO Number of language-specific files num=0
2024-07-09T14:21:13Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/observability-platform
2024-07-09T14:21:13Z INFO Vulnerability scanning is enabled
2024-07-09T14:21:13Z INFO Misconfiguration scanning is enabled
2024-07-09T14:21:13Z INFO Secret scanning is enabled
2024-07-09T14:21:13Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T14:21:13Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T14:21:15Z INFO Number of language-specific files num=0
2024-07-09T14:21:15Z INFO Detected config files num=5

git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=b88a85627c84a4e9d1ad2a655455d10b386bc63f/iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-managed-service-grafana?ref=14dc9a17539887d8c92456b6d4464f379d8c7bd1/main.tf (terraform)

Tests: 29 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 29)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs terraform/environments/observability-platform

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-09 14:21:18,330 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:18,331 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:18,331 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-grafana/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.7.0 (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:2.2.3 (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-07-09 14:21:21,228 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.39.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 30, Failed checks: 0, Skipped checks: 22


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs terraform/environments/observability-platform

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs terraform/environments/observability-platform

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-09T14:21:08Z	INFO	Need to update DB
2024-07-09T14:21:08Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-09T14:21:10Z	INFO	Vulnerability scanning is enabled
2024-07-09T14:21:10Z	INFO	Misconfiguration scanning is enabled
2024-07-09T14:21:10Z	INFO	Need to update the built-in policies
2024-07-09T14:21:10Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-09T14:21:11Z	INFO	Secret scanning is enabled
2024-07-09T14:21:11Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T14:21:11Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T14:21:13Z	INFO	Number of language-specific files	num=0
2024-07-09T14:21:13Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/observability-platform
2024-07-09T14:21:13Z	INFO	Vulnerability scanning is enabled
2024-07-09T14:21:13Z	INFO	Misconfiguration scanning is enabled
2024-07-09T14:21:13Z	INFO	Secret scanning is enabled
2024-07-09T14:21:13Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-09T14:21:13Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-09T14:21:15Z	INFO	Number of language-specific files	num=0
2024-07-09T14:21:15Z	INFO	Detected config files	num=5

git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=b88a85627c84a4e9d1ad2a655455d10b386bc63f/iam.tf (terraform)
=================================================================================================================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-managed-service-grafana?ref=14dc9a17539887d8c92456b6d4464f379d8c7bd1/main.tf (terraform)
===================================================================================================================================================
Tests: 29 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 29)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@roncitrus roncitrus had a problem deploying to cdpt-ifs-development July 10, 2024 08:09 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:10:22Z INFO Need to update DB
2024-07-10T08:10:22Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:10:24Z INFO Vulnerability scanning is enabled
2024-07-10T08:10:24Z INFO Misconfiguration scanning is enabled
2024-07-10T08:10:24Z INFO Need to update the built-in policies
2024-07-10T08:10:24Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:10:25Z INFO Secret scanning is enabled
2024-07-10T08:10:25Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:10:25Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:10:27Z INFO Number of language-specific files num=0
2024-07-10T08:10:27Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-10 08:10:29,688 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:10:29,688 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:10:29,688 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:10:22Z	INFO	Need to update DB
2024-07-10T08:10:22Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:10:24Z	INFO	Vulnerability scanning is enabled
2024-07-10T08:10:24Z	INFO	Misconfiguration scanning is enabled
2024-07-10T08:10:24Z	INFO	Need to update the built-in policies
2024-07-10T08:10:24Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:10:25Z	INFO	Secret scanning is enabled
2024-07-10T08:10:25Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:10:25Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:10:27Z	INFO	Number of language-specific files	num=0
2024-07-10T08:10:27Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 10, 2024 08:13 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:13:44Z INFO Need to update DB
2024-07-10T08:13:44Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:13:47Z INFO Vulnerability scanning is enabled
2024-07-10T08:13:47Z INFO Misconfiguration scanning is enabled
2024-07-10T08:13:47Z INFO Need to update the built-in policies
2024-07-10T08:13:47Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:13:47Z INFO Secret scanning is enabled
2024-07-10T08:13:47Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:13:47Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:13:52Z INFO Number of language-specific files num=0
2024-07-10T08:13:52Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-10 08:13:55,177 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:13:55,177 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:13:55,177 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:13:44Z	INFO	Need to update DB
2024-07-10T08:13:44Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:13:47Z	INFO	Vulnerability scanning is enabled
2024-07-10T08:13:47Z	INFO	Misconfiguration scanning is enabled
2024-07-10T08:13:47Z	INFO	Need to update the built-in policies
2024-07-10T08:13:47Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:13:47Z	INFO	Secret scanning is enabled
2024-07-10T08:13:47Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:13:47Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:13:52Z	INFO	Number of language-specific files	num=0
2024-07-10T08:13:52Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 10, 2024 08:43 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:44:41Z INFO Need to update DB
2024-07-10T08:44:41Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:44:43Z INFO Vulnerability scanning is enabled
2024-07-10T08:44:43Z INFO Misconfiguration scanning is enabled
2024-07-10T08:44:43Z INFO Need to update the built-in policies
2024-07-10T08:44:43Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:44:43Z INFO Secret scanning is enabled
2024-07-10T08:44:43Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:44:43Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:44:45Z INFO Number of language-specific files num=0
2024-07-10T08:44:45Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-10 08:44:48,507 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:44:48,507 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-10 08:44:48,508 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.lb_5xx_alarm_topic
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		51 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T08:44:41Z	INFO	Need to update DB
2024-07-10T08:44:41Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T08:44:43Z	INFO	Vulnerability scanning is enabled
2024-07-10T08:44:43Z	INFO	Misconfiguration scanning is enabled
2024-07-10T08:44:43Z	INFO	Need to update the built-in policies
2024-07-10T08:44:43Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T08:44:43Z	INFO	Secret scanning is enabled
2024-07-10T08:44:43Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T08:44:43Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T08:44:45Z	INFO	Number of language-specific files	num=0
2024-07-10T08:44:45Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus temporarily deployed to cdpt-ifs-development July 10, 2024 10:49 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T10:50:15Z INFO Need to update DB
2024-07-10T10:50:15Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T10:50:17Z INFO Vulnerability scanning is enabled
2024-07-10T10:50:17Z INFO Misconfiguration scanning is enabled
2024-07-10T10:50:17Z INFO Need to update the built-in policies
2024-07-10T10:50:17Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T10:50:17Z INFO Secret scanning is enabled
2024-07-10T10:50:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T10:50:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T10:50:20Z INFO Number of language-specific files num=0
2024-07-10T10:50:20Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-10 10:50:22,478 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-10 10:50:22,478 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-10 10:50:22,478 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:48-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		48 | module "pagerduty_core_alerts" {
		49 |   depends_on = [
		50 |     aws_sns_topic.lb_5xx_alarm_topic
		51 |   ]
		52 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		53 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		54 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		55 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T10:50:15Z	INFO	Need to update DB
2024-07-10T10:50:15Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T10:50:17Z	INFO	Vulnerability scanning is enabled
2024-07-10T10:50:17Z	INFO	Misconfiguration scanning is enabled
2024-07-10T10:50:17Z	INFO	Need to update the built-in policies
2024-07-10T10:50:17Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T10:50:17Z	INFO	Secret scanning is enabled
2024-07-10T10:50:17Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T10:50:17Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T10:50:20Z	INFO	Number of language-specific files	num=0
2024-07-10T10:50:20Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

@roncitrus roncitrus had a problem deploying to cdpt-ifs-development July 10, 2024 12:04 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T12:05:01Z INFO Need to update DB
2024-07-10T12:05:01Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T12:05:03Z INFO Vulnerability scanning is enabled
2024-07-10T12:05:03Z INFO Misconfiguration scanning is enabled
2024-07-10T12:05:03Z INFO Need to update the built-in policies
2024-07-10T12:05:03Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T12:05:03Z INFO Secret scanning is enabled
2024-07-10T12:05:03Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T12:05:03Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T12:05:05Z INFO Number of language-specific files num=0
2024-07-10T12:05:05Z INFO Detected config files num=10

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:349
via ecs.tf:344-350 (egress)
via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
323 resource "aws_security_group" "cluster_ec2" {
...
349 [ cidr_blocks = ["0.0.0.0/0"]
...
358 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:489
via ecs.tf:485-490 (egress)
via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
473 resource "aws_security_group" "ecs_service" {
...
489 [ cidr_blocks = ["0.0.0.0/0"]
...
491 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)

Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
190 [ cidr_blocks = lookup(ingress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:152
via loadbalancer.tf:147-153 (egress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
152 [ cidr_blocks = ["0.0.0.0/0"]
...
154 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:174
via loadbalancer.tf:169-175 (egress)
via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
156 resource "aws_security_group" "ifs_target_sc" {
...
174 [ cidr_blocks = ["0.0.0.0/0"]
...
176 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:144
via loadbalancer.tf:139-145 (ingress)
via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
134 resource "aws_security_group" "ifs_lb_sc" {
...
144 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
...
154 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-10 12:05:07,816 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-07-10 12:05:07,816 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
2024-07-10 12:05:07,816 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 101, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:48-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		48 | module "pagerduty_core_alerts" {
		49 |   depends_on = [
		50 |     aws_sns_topic.lb_5xx_alarm_topic
		51 |   ]
		52 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		53 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		54 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		55 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-07-10T12:05:01Z	INFO	Need to update DB
2024-07-10T12:05:01Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T12:05:03Z	INFO	Vulnerability scanning is enabled
2024-07-10T12:05:03Z	INFO	Misconfiguration scanning is enabled
2024-07-10T12:05:03Z	INFO	Need to update the built-in policies
2024-07-10T12:05:03Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T12:05:03Z	INFO	Secret scanning is enabled
2024-07-10T12:05:03Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T12:05:03Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T12:05:05Z	INFO	Number of language-specific files	num=0
2024-07-10T12:05:05Z	INFO	Detected config files	num=10

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:349
   via ecs.tf:344-350 (egress)
    via ecs.tf:323-358 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 323   resource "aws_security_group" "cluster_ec2" {
 ...   
 349 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 358   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:489
   via ecs.tf:485-490 (egress)
    via ecs.tf:473-491 (aws_security_group.ecs_service)
────────────────────────────────────────
 473   resource "aws_security_group" "ecs_service" {
 ...   
 489 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 491   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests: 7 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 202 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:190
   via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:185-192 (content)
    via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:183-193 (dynamic.ingress["cluster_ec2_lb_ingress"])
     via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
      via loadbalancer.tf:78-95 (module.lb_access_logs_enabled)
────────────────────────────────────────
 177   resource "aws_security_group" "lb" {
 ...   
 190 [       cidr_blocks     = lookup(ingress.value, "cidr_blocks", null)
 ...   
 213   }
────────────────────────────────────────



loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:152
   via loadbalancer.tf:147-153 (egress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 152 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 154   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:174
   via loadbalancer.tf:169-175 (egress)
    via loadbalancer.tf:156-176 (aws_security_group.ifs_target_sc)
────────────────────────────────────────
 156   resource "aws_security_group" "ifs_target_sc" {
 ...   
 174 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 176   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:144
   via loadbalancer.tf:139-145 (ingress)
    via loadbalancer.tf:134-154 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
 134   resource "aws_security_group" "ifs_lb_sc" {
 ...   
 144 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
 ...   
 154   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

ep-93
ep-93 approved these changes Jul 10, 2024
View reviewed changes
Copy link
Contributor

@ep-93 ep-93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved on the understanding that SCA failures will be addressed, and a better description added.

@roncitrus roncitrus merged commit 776aa1f into main Jul 10, 2024
12 of 14 checks passed
@roncitrus roncitrus deleted the ifs-lb-alarm branch July 10, 2024 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ep-93 ep-93 ep-93 approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@roncitrus @ep-93