Add SSH key for Luigi Di Fraia

[luigidifraiawork]

No description provided.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/xhibit-portal

---

Running Trivy in terraform/environments/xhibit-portal
2024-09-12T09:18:39Z INFO [db] Need to update DB
2024-09-12T09:18:39Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T09:18:41Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T09:18:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T09:18:41Z INFO Need to update the built-in policies
2024-09-12T09:18:41Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T09:18:41Z INFO [secret] Secret scanning is enabled
2024-09-12T09:18:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T09:18:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T09:18:42Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T09:18:42Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-12T09:18:44Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-12T09:18:44Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="scripts/perf/node_modules"
2024-09-12T09:18:44Z INFO Number of language-specific files num=1
2024-09-12T09:18:44Z INFO [npm] Detecting vulnerabilities...
2024-09-12T09:18:44Z INFO Detected config files num=24

For OSS Maintainers: VEX Notice

If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.55/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

scripts/perf/package-lock.json (npm)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH │ fixed │ 8.5.1 │ 9.0.0 │ jsonwebtoken: Unrestricted key type could lead to legacy │
│ │ │ │ │ │ │ keys usagen │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23539 │
├──────────────┼────────────────┤ │ ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)

Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
importmachine.tf:29
via importmachine.tf:23-30 (egress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
29 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
importmachine.tf:28
via importmachine.tf:23-30 (egress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
28 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:20
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
20 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:19
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

ingestion-load-balancer.tf (terraform)

Tests: 8 (SUCCESSES: 2, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 5, CRITICAL: 1)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ingestion-load-balancer.tf:59
via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
52 resource "aws_elb" "ingestion_lb" {
..
59 [ internal = false
..
97 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
ingestion-load-balancer.tf:26-36
via ingestion-load-balancer.tf:18-40 (aws_security_group_rule.ingestion_lb_allow_web_users)
────────────────────────────────────────
18 resource "aws_security_group_rule" "ingestion_lb_allow_web_users" {
..
26 ┌ cidr_blocks = [
27 │ "10.182.60.51/32", # NLE CGI proxy
28 │ "195.59.75.151/32", # New proxy IPs from Prashanth for testing ingestion NLE DEV
29 │ "195.59.75.152/32", # New proxy IPs from Prashanth for testing ingestion NLE DEV
30 │ "194.33.192.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
31 │ "194.33.196.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
32 └ "194.33.248.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
..
────────────────────────────────────────

network-infrastructure.tf (terraform)

Tests: 64 (SUCCESSES: 54, FAILURES: 10, EXCEPTIONS: 0)
Failures: 10 (HIGH: 0, CRITICAL: 10)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:129
via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
120 resource "aws_security_group_rule" "exchange-outbound-all" {
121 depends_on = [aws_security_group.exchange_server]
122 security_group_id = aws_security_group.exchange_server.id
123 type = "egress"
124 description = "allow all"
125 from_port = 0
126 to_port = 0
127 protocol = "-1"
128 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:128
via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
120 resource "aws_security_group_rule" "exchange-outbound-all" {
121 depends_on = [aws_security_group.exchange_server]
122 security_group_id = aws_security_group.exchange_server.id
123 type = "egress"
124 description = "allow all"
125 from_port = 0
126 to_port = 0
127 protocol = "-1"
128 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:694
via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
685 resource "aws_security_group_rule" "iisrelay-outbound-all" {
686 depends_on = [aws_security_group.iisrelay_server]
687 security_group_id = aws_security_group.iisrelay_server.id
688 type = "egress"
689 description = "allow all"
690 from_port = 0
691 to_port = 0
692 protocol = "-1"
693 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:693
via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
685 resource "aws_security_group_rule" "iisrelay-outbound-all" {
686 depends_on = [aws_security_group.iisrelay_server]
687 security_group_id = aws_security_group.iisrelay_server.id
688 type = "egress"
689 description = "allow all"
690 from_port = 0
691 to_port = 0
692 protocol = "-1"
693 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:207
via network-infrastructure.tf:199-208 (aws_security_group_rule.sms-outbound-all-ipv4)
────────────────────────────────────────
199 resource "aws_security_group_rule" "sms-outbound-all-ipv4" {
200 depends_on = [aws_security_group.sms_server]
201 security_group_id = aws_security_group.sms_server.id
202 type = "egress"
203 description = "allow all ipv4"
204 from_port = 0
205 to_port = 0
206 protocol = "-1"
207 [ cidr_blocks = ["0.0.0.0/0"]
208 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:218
via network-infrastructure.tf:210-219 (aws_security_group_rule.sms-outbound-all-ipv6)
────────────────────────────────────────
210 resource "aws_security_group_rule" "sms-outbound-all-ipv6" {
211 depends_on = [aws_security_group.sms_server]
212 security_group_id = aws_security_group.sms_server.id
213 type = "egress"
214 description = "allow all ipv6"
215 from_port = 0
216 to_port = 0
217 protocol = "-1"
218 [ ipv6_cidr_blocks = ["::/0"]
219 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:297
via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
288 resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
289 depends_on = [aws_security_group.prtg_lb]
290 security_group_id = aws_security_group.prtg_lb.id
291 type = "ingress"
292 description = "allow web traffic to get to prtg Load Balancer over SSL "
293 from_port = 443
294 to_port = 443
295 protocol = "TCP"
296 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:296
via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
288 resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
289 depends_on = [aws_security_group.prtg_lb]
290 security_group_id = aws_security_group.prtg_lb.id
291 type = "ingress"
292 description = "allow web traffic to get to prtg Load Balancer over SSL "
293 from_port = 443
294 to_port = 443
295 protocol = "TCP"
296 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:285
via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
276 resource "aws_security_group_rule" "waf_lb_allow_web_users" {
277 depends_on = [aws_security_group.waf_lb]
278 security_group_id = aws_security_group.waf_lb.id
279 type = "ingress"
280 description = "allow web traffic to get to ingestion server"
281 from_port = 443
282 to_port = 443
283 protocol = "TCP"
284 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:284
via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
276 resource "aws_security_group_rule" "waf_lb_allow_web_users" {
277 depends_on = [aws_security_group.waf_lb]
278 security_group_id = aws_security_group.waf_lb.id
279 type = "ingress"
280 description = "allow web traffic to get to ingestion server"
281 from_port = 443
282 to_port = 443
283 protocol = "TCP"
284 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

prtg-load-balancer.tf (terraform)

Tests: 11 (SUCCESSES: 4, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
prtg-load-balancer.tf:82
via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
73 resource "aws_lb_listener" "prtg_lb_listener" {
..
82 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
90 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
prtg-load-balancer.tf:12-37
────────────────────────────────────────
12 ┌ resource "aws_lb" "prtg_lb" {
13 │
14 │ depends_on = [
15 │ aws_security_group.prtg_lb,
16 │ ]
17 │
18 │ name = "prtg-lb-${var.networking[0].application}"
19 │ internal = false
20 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
prtg-load-balancer.tf:19
via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
12 resource "aws_lb" "prtg_lb" {
..
19 [ internal = false
..
37 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

waf-load-balancer.tf (terraform)

Tests: 18 (SUCCESSES: 7, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
waf-load-balancer.tf:96
via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
87 resource "aws_lb_listener" "waf_lb_listener" {
..
96 [ ssl_policy = "ELBSecurityPolicy-2016-08"
...
104 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
waf-load-balancer.tf:27-52
────────────────────────────────────────
27 ┌ resource "aws_lb" "waf_lb" {
28 │
29 │ depends_on = [
30 │ aws_security_group.waf_lb,
31 │ ]
32 │
33 │ name = "waf-lb-${var.networking[0].application}"
34 │ internal = false
35 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
waf-load-balancer.tf:34
via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
27 resource "aws_lb" "waf_lb" {
..
34 [ internal = false
..
52 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Checkov in terraform/environments/xhibit-portal
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 09:18:47,317 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import:None (for external modules, the --download-external-modules flag is required)
2024-09-12 09:18:47,318 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 541, Failed checks: 98, Skipped checks: 8

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:7-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "bastion_linux" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		9  | 
		10 |   providers = {
		11 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		12 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		13 |   }
		14 | 
		15 |   # s3 - used for logs and user ssh public keys
		16 |   bucket_name = "bastion"
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | 
		37 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.build-disk1
	File: /build-server.tf:46-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		46 | resource "aws_ebs_volume" "build-disk1" {
		47 |   depends_on        = [aws_instance.build-server]
		48 |   availability_zone = "${local.region}a"
		49 |   type              = "gp2"
		50 |   encrypted         = true
		51 | 
		52 |   snapshot_id = local.application_data.accounts[local.environment].buildserver-disk-1-snapshot
		53 | 
		54 |   tags = merge(
		55 |     local.tags,
		56 |     {
		57 |       Name = "build-disk1-${local.application_name}"
		58 |     }
		59 |   )
		60 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjim-disk1
	File: /cjim-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjim-disk1" {
		49 |   depends_on        = [aws_instance.cjim-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig04-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjim-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjip-disk1
	File: /cjip-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjip-disk1" {
		49 |   depends_on        = [aws_instance.cjip-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig05-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjip-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.shared_cmk_policy
	File: /cms_key.tf:16-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-baremetal-disk1
	File: /database-server-baremetal.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "database-baremetal-disk1" {
		54 |   count             = local.only_in_production
		55 |   depends_on        = [aws_instance.database-server-baremetal]
		56 |   availability_zone = "${local.region}a"
		57 |   type              = "gp2"
		58 |   encrypted         = true
		59 |   size              = 4000
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "database-baremetal-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.app-baremetal-disk2
	File: /database-server-baremetal.tf:98-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		98  | resource "aws_ebs_volume" "app-baremetal-disk2" {
		99  |   count             = local.only_in_production
		100 |   depends_on        = [aws_instance.database-server-baremetal]
		101 |   availability_zone = "${local.region}a"
		102 |   type              = "gp2"
		103 |   encrypted         = true
		104 |   size              = 2000
		105 | 
		106 |   tags = merge(
		107 |     local.tags,
		108 |     {
		109 |       Name = "app-baremetal-disk2-${local.application_name}"
		110 |     }
		111 |   )
		112 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk1
	File: /database-server.tf:50-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		50 | resource "aws_ebs_volume" "database-disk1" {
		51 |   depends_on        = [aws_instance.database-server]
		52 |   availability_zone = "${local.region}a"
		53 |   type              = "gp2"
		54 |   encrypted         = true
		55 | 
		56 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-1-snapshot
		57 | 
		58 |   tags = merge(
		59 |     local.tags,
		60 |     {
		61 |       Name = "database-disk1-${local.application_name}"
		62 |     }
		63 |   )
		64 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk2
	File: /database-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "database-disk2" {
		78 |   depends_on        = [aws_instance.database-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "database-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk3
	File: /database-server.tf:102-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		102 | resource "aws_ebs_volume" "database-disk3" {
		103 |   depends_on        = [aws_instance.database-server]
		104 |   availability_zone = "${local.region}a"
		105 |   type              = "gp2"
		106 |   encrypted         = true
		107 | 
		108 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-3-snapshot
		109 | 
		110 |   tags = merge(
		111 |     local.tags,
		112 |     {
		113 |       Name = "database-disk3-${local.application_name}"
		114 |     }
		115 |   )
		116 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk4
	File: /database-server.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		126 | resource "aws_ebs_volume" "database-disk4" {
		127 |   depends_on        = [aws_instance.database-server]
		128 |   availability_zone = "${local.region}a"
		129 |   type              = "gp2"
		130 |   encrypted         = true
		131 | 
		132 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-4-snapshot
		133 | 
		134 |   tags = merge(
		135 |     local.tags,
		136 |     {
		137 |       Name = "database-disk4-${local.application_name}"
		138 |     }
		139 |   )
		140 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk5
	File: /database-server.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		150 | resource "aws_ebs_volume" "database-disk5" {
		151 |   depends_on        = [aws_instance.database-server]
		152 |   availability_zone = "${local.region}a"
		153 |   type              = "gp2"
		154 |   encrypted         = true
		155 | 
		156 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-5-snapshot
		157 | 
		158 |   tags = merge(
		159 |     local.tags,
		160 |     {
		161 |       Name = "database-disk5-${local.application_name}"
		162 |     }
		163 |   )
		164 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk6
	File: /database-server.tf:175-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		175 | resource "aws_ebs_volume" "database-disk6" {
		176 |   depends_on        = [aws_instance.database-server]
		177 |   availability_zone = "${local.region}a"
		178 |   type              = "gp2"
		179 |   encrypted         = true
		180 | 
		181 |   #snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-6-snapshot
		182 | 
		183 |   size = 300
		184 | 
		185 |   tags = merge(
		186 |     local.tags,
		187 |     {
		188 |       Name = "database-disk6-${local.application_name}"
		189 |     }
		190 |   )
		191 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk7
	File: /database-server.tf:201-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		201 | resource "aws_ebs_volume" "database-disk7" {
		202 |   depends_on        = [aws_instance.database-server]
		203 |   availability_zone = "${local.region}a"
		204 |   type              = "gp2"
		205 |   encrypted         = true
		206 | 
		207 |   size = 300
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "database-disk7-${local.application_name}"
		213 |     }
		214 |   )
		215 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.infra1-disk1
	File: /domain-controllers.tf:146-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		146 | resource "aws_ebs_volume" "infra1-disk1" {
		147 |   availability_zone = "${local.region}a"
		148 |   type              = "gp2"
		149 |   encrypted         = true
		150 | 
		151 |   snapshot_id = local.application_data.accounts[local.environment].infra1-disk-1-snapshot
		152 | 
		153 |   tags = merge(
		154 |     local.tags,
		155 |     {
		156 |       Name = "infra1-disk1-${local.application_name}"
		157 |     }
		158 |   )
		159 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk1
	File: /exchange-server.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "exchange-disk1" {
		54 |   depends_on        = [aws_instance.exchange-server]
		55 |   availability_zone = "${local.region}a"
		56 |   type              = "gp2"
		57 |   encrypted         = true
		58 | 
		59 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-1-snapshot
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "exchange-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk2
	File: /exchange-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "exchange-disk2" {
		78 |   depends_on        = [aws_instance.exchange-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "exchange-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.disk_xvdf
	File: /importmachine.tf:89-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		89  | resource "aws_ebs_volume" "disk_xvdf" {
		90  |   depends_on        = [aws_instance.importmachine]
		91  |   snapshot_id       = local.application_data.accounts[local.environment].importmachine-data-snapshot
		92  |   availability_zone = "${local.region}a"
		93  |   type              = "gp2"
		94  |   encrypted         = true
		95  |   size              = 6000
		96  | 
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "importmachine-${local.application_name}-disk"
		101 |     }
		102 |   )
		103 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_AWS_213: "Ensure ELB Policy uses only secure protocols"
	FAILED for resource: aws_load_balancer_policy.ingestion-ssl
	File: /ingestion-load-balancer.tf:199-674
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-elb-policy-uses-only-secure-protocols

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.root_snapshot_to_ami
	File: /lambda.tf:57-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		57 | resource "aws_lambda_function" "root_snapshot_to_ami" {
		58 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		59 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		60 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		61 |   filename                       = "lambda/lambda_function.zip"
		62 |   function_name                  = "root_snapshot_to_ami"
		63 |   role                           = aws_iam_role.snapshot_lambda.arn
		64 |   handler                        = "index.lambda_handler"
		65 |   source_code_hash               = data.archive_file.lambda_zip.output_base64sha256
		66 |   runtime                        = "python3.8"
		67 |   timeout                        = "120"
		68 |   reserved_concurrent_executions = 1
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_old_ami
	File: /lambda.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		150 | resource "aws_lambda_function" "delete_old_ami" {
		151 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		152 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		153 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		154 |   filename         = "lambda/delete_old_ami.zip"
		155 |   function_name    = "delete_old_ami"
		156 |   role             = aws_iam_role.delete_snapshot_lambda.arn
		157 |   handler          = "delete_old_ami.lambda_handler"
		158 |   source_code_hash = data.archive_file.delete_lambda_zip.output_base64sha256
		159 |   runtime          = "python3.8"
		160 |   # "large" amount of memory because of the amount of snapshots
		161 |   memory_size                    = "1280"
		162 |   timeout                        = "240"
		163 |   reserved_concurrent_executions = 1
		164 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.sms-inbound-bastion
	File: /network-infrastructure.tf:154-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		154 | resource "aws_security_group_rule" "sms-inbound-bastion" {
		155 |   from_port                = 3389
		156 |   protocol                 = "TCP"
		157 |   security_group_id        = aws_security_group.sms_server.id
		158 |   to_port                  = 3389
		159 |   type                     = "ingress"
		160 |   source_security_group_id = module.bastion_linux.bastion_security_group
		161 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.prtg_acl
	File: /prtg-load-balancer.tf:138-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.sms-server
	File: /sms-server.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "sms-server" {
		2  |   depends_on                  = [aws_security_group.sms_server]
		3  |   instance_type               = "t3.large"
		4  |   ami                         = local.application_data.accounts[local.environment].XHBPRESMS01-ami
		5  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.gary.key_name
		11 |   #key_name                    = aws_key_pair.george.key_name
		12 |   iam_instance_profile = aws_iam_instance_profile.ec2_xp_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted = true
		21 |     tags = {
		22 |       Name = "root-block-device-sms-server-${local.application_name}"
		23 |     }
		24 |   }
		25 | 
		26 |   lifecycle {
		27 |     ignore_changes = [
		28 |       # This prevents clobbering the tags of attached EBS volumes. See
		29 |       # [this bug][1] in the AWS provider upstream.
		30 |       #
		31 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		32 |       volume_tags,
		33 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		34 |       #root_block_device,
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = false
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "sms-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf-load-balancer.tf:224-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.prtg_lb_listener
	File: /prtg-load-balancer.tf:73-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "prtg_lb_listener" {
		74 |   depends_on = [
		75 |     aws_acm_certificate_validation.prtg_lb_cert_validation,
		76 |     aws_lb_target_group.prtg_lb_web_tg
		77 |   ]
		78 | 
		79 |   load_balancer_arn = aws_lb.prtg_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		83 |   certificate_arn   = aws_acm_certificate.prtg_lb_cert.arn
		84 |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		85 | 
		86 |   default_action {
		87 |     type             = "forward"
		88 |     target_group_arn = aws_lb_target_group.prtg_lb_web_tg.arn
		89 |   }
		90 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.waf_lb_listener
	File: /waf-load-balancer.tf:87-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		87  | resource "aws_lb_listener" "waf_lb_listener" {
		88  |   depends_on = [
		89  |     aws_acm_certificate_validation.waf_lb_cert_validation,
		90  |     aws_lb_target_group.waf_lb_web_tg
		91  |   ]
		92  | 
		93  |   load_balancer_arn = aws_lb.waf_lb.arn
		94  |   port              = "443"
		95  |   protocol          = "HTTPS"
		96  |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		97  |   certificate_arn   = aws_acm_certificate.waf_lb_cert.arn
		98  |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		99  | 
		100 |   default_action {
		101 |     type             = "forward"
		102 |     target_group_arn = aws_lb_target_group.waf_lb_web_tg.arn
		103 |   }
		104 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.importmachine
	File: /importmachine.tf:49-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		49 | resource "aws_instance" "importmachine" {
		50 | 
		51 |   depends_on             = [aws_security_group.importmachine]
		52 |   instance_type          = "t3a.large"
		53 |   ami                    = local.application_data.accounts[local.environment].importmachine-ami
		54 |   vpc_security_group_ids = [aws_security_group.importmachine.id]
		55 |   monitoring             = true
		56 |   ebs_optimized          = true
		57 |   subnet_id              = data.aws_subnet.private_az_a.id
		58 |   key_name               = aws_key_pair.george.key_name
		59 | 
		60 |   metadata_options {
		61 |     http_tokens   = "required"
		62 |     http_endpoint = "enabled"
		63 |   }
		64 | 
		65 |   root_block_device {
		66 |     encrypted   = true
		67 |     volume_size = 70
		68 |   }
		69 | 
		70 |   lifecycle {
		71 |     ignore_changes = [
		72 |       # This prevents clobbering the tags of attached EBS volumes. See
		73 |       # [this bug][1] in the AWS provider upstream.
		74 | 
		75 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		76 |       volume_tags,
		77 |     ]
		78 |     prevent_destroy = true
		79 |   }
		80 | 
		81 |   tags = merge(
		82 |     local.tags,
		83 |     {
		84 |       Name = "importmachine-${local.application_name}"
		85 |     }
		86 |   )
		87 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running tflint in terraform/environments/xhibit-portal
Excluding the following checks: terraform_unused_declarations
18 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" is not pinned (terraform_module_pinned_source)

  on terraform/environments/xhibit-portal/importrole.tf line 3:
   3:   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 140:
 140:       "${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 190:
 190:     resources = ["${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/xhibit-portal/lambda.tf line 141:
 141: data "archive_file" "delete_lambda_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 98:
  98:     "${local.application_data.accounts[local.environment].public_dns_name_prtg}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 237:
 237:   log_destination_configs = ["${aws_s3_bucket.prtg_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 257:
 257:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 296:
 296:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 321:
 321:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 328:
 328:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 184:
 184:     "${local.application_data.accounts[local.environment].public_dns_name_web}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 334:
 334:       "${aws_s3_bucket.loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 384:
 384:     resources = ["${aws_s3_bucket.loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 418:
 418:   log_destination_configs = ["${aws_s3_bucket.waf_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 438:
 438:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 477:
 477:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 502:
 502:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 509:
 509:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Trivy in terraform/environments/xhibit-portal
2024-09-12T09:18:39Z	INFO	[db] Need to update DB
2024-09-12T09:18:39Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T09:18:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T09:18:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T09:18:41Z	INFO	Need to update the built-in policies
2024-09-12T09:18:41Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T09:18:41Z	INFO	[secret] Secret scanning is enabled
2024-09-12T09:18:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T09:18:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T09:18:42Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T09:18:42Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-12T09:18:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-12T09:18:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-12T09:18:44Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="scripts/perf/node_modules"
2024-09-12T09:18:44Z	INFO	Number of language-specific files	num=1
2024-09-12T09:18:44Z	INFO	[npm] Detecting vulnerabilities...
2024-09-12T09:18:44Z	INFO	Detected config files	num=24

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.55/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


scripts/perf/package-lock.json (npm)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH     │ fixed  │ 8.5.1             │ 9.0.0               │ jsonwebtoken: Unrestricted key type could lead to legacy │
│              │                │          │        │                   │                     │ keys usagen                                              │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-23539               │
├──────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 5.7.1             │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service      │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)
============================
Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 importmachine.tf:29
   via importmachine.tf:23-30 (egress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  29 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 importmachine.tf:28
   via importmachine.tf:23-30 (egress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  28 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:20
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  20 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:19
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  19 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────



ingestion-load-balancer.tf (terraform)
======================================
Tests: 8 (SUCCESSES: 2, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 5, CRITICAL: 1)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ingestion-load-balancer.tf:59
   via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
  52   resource "aws_elb" "ingestion_lb" {
  ..   
  59 [   internal        = false
  ..   
  97   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 ingestion-load-balancer.tf:26-36
   via ingestion-load-balancer.tf:18-40 (aws_security_group_rule.ingestion_lb_allow_web_users)
────────────────────────────────────────
  18   resource "aws_security_group_rule" "ingestion_lb_allow_web_users" {
  ..   
  26 ┌   cidr_blocks = [
  27 │     "10.182.60.51/32",   # NLE CGI proxy 
  28 │     "195.59.75.151/32",  # New proxy IPs from Prashanth for testing ingestion NLE DEV
  29 │     "195.59.75.152/32",  # New proxy IPs from Prashanth for testing ingestion NLE DEV
  30 │     "194.33.192.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  31 │     "194.33.196.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  32 └     "194.33.248.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  ..   
────────────────────────────────────────



network-infrastructure.tf (terraform)
=====================================
Tests: 64 (SUCCESSES: 54, FAILURES: 10, EXCEPTIONS: 0)
Failures: 10 (HIGH: 0, CRITICAL: 10)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:129
   via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
 120   resource "aws_security_group_rule" "exchange-outbound-all" {
 121     depends_on        = [aws_security_group.exchange_server]
 122     security_group_id = aws_security_group.exchange_server.id
 123     type              = "egress"
 124     description       = "allow all"
 125     from_port         = 0
 126     to_port           = 0
 127     protocol          = "-1"
 128     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:128
   via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
 120   resource "aws_security_group_rule" "exchange-outbound-all" {
 121     depends_on        = [aws_security_group.exchange_server]
 122     security_group_id = aws_security_group.exchange_server.id
 123     type              = "egress"
 124     description       = "allow all"
 125     from_port         = 0
 126     to_port           = 0
 127     protocol          = "-1"
 128 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:694
   via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
 685   resource "aws_security_group_rule" "iisrelay-outbound-all" {
 686     depends_on        = [aws_security_group.iisrelay_server]
 687     security_group_id = aws_security_group.iisrelay_server.id
 688     type              = "egress"
 689     description       = "allow all"
 690     from_port         = 0
 691     to_port           = 0
 692     protocol          = "-1"
 693     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:693
   via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
 685   resource "aws_security_group_rule" "iisrelay-outbound-all" {
 686     depends_on        = [aws_security_group.iisrelay_server]
 687     security_group_id = aws_security_group.iisrelay_server.id
 688     type              = "egress"
 689     description       = "allow all"
 690     from_port         = 0
 691     to_port           = 0
 692     protocol          = "-1"
 693 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:207
   via network-infrastructure.tf:199-208 (aws_security_group_rule.sms-outbound-all-ipv4)
────────────────────────────────────────
 199   resource "aws_security_group_rule" "sms-outbound-all-ipv4" {
 200     depends_on        = [aws_security_group.sms_server]
 201     security_group_id = aws_security_group.sms_server.id
 202     type              = "egress"
 203     description       = "allow all ipv4"
 204     from_port         = 0
 205     to_port           = 0
 206     protocol          = "-1"
 207 [   cidr_blocks       = ["0.0.0.0/0"]
 208   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:218
   via network-infrastructure.tf:210-219 (aws_security_group_rule.sms-outbound-all-ipv6)
────────────────────────────────────────
 210   resource "aws_security_group_rule" "sms-outbound-all-ipv6" {
 211     depends_on        = [aws_security_group.sms_server]
 212     security_group_id = aws_security_group.sms_server.id
 213     type              = "egress"
 214     description       = "allow all ipv6"
 215     from_port         = 0
 216     to_port           = 0
 217     protocol          = "-1"
 218 [   ipv6_cidr_blocks  = ["::/0"]
 219   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:297
   via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
 288   resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
 289     depends_on        = [aws_security_group.prtg_lb]
 290     security_group_id = aws_security_group.prtg_lb.id
 291     type              = "ingress"
 292     description       = "allow web traffic to get to prtg Load Balancer over SSL "
 293     from_port         = 443
 294     to_port           = 443
 295     protocol          = "TCP"
 296     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:296
   via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
 288   resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
 289     depends_on        = [aws_security_group.prtg_lb]
 290     security_group_id = aws_security_group.prtg_lb.id
 291     type              = "ingress"
 292     description       = "allow web traffic to get to prtg Load Balancer over SSL "
 293     from_port         = 443
 294     to_port           = 443
 295     protocol          = "TCP"
 296 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:285
   via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
 276   resource "aws_security_group_rule" "waf_lb_allow_web_users" {
 277     depends_on        = [aws_security_group.waf_lb]
 278     security_group_id = aws_security_group.waf_lb.id
 279     type              = "ingress"
 280     description       = "allow web traffic to get to ingestion server"
 281     from_port         = 443
 282     to_port           = 443
 283     protocol          = "TCP"
 284     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:284
   via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
 276   resource "aws_security_group_rule" "waf_lb_allow_web_users" {
 277     depends_on        = [aws_security_group.waf_lb]
 278     security_group_id = aws_security_group.waf_lb.id
 279     type              = "ingress"
 280     description       = "allow web traffic to get to ingestion server"
 281     from_port         = 443
 282     to_port           = 443
 283     protocol          = "TCP"
 284 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────



prtg-load-balancer.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 4, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 prtg-load-balancer.tf:82
   via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
  73   resource "aws_lb_listener" "prtg_lb_listener" {
  ..   
  82 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  90   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 prtg-load-balancer.tf:12-37
────────────────────────────────────────
  12 ┌ resource "aws_lb" "prtg_lb" {
  13 │ 
  14 │   depends_on = [
  15 │     aws_security_group.prtg_lb,
  16 │   ]
  17 │ 
  18 │   name                       = "prtg-lb-${var.networking[0].application}"
  19 │   internal                   = false
  20 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 prtg-load-balancer.tf:19
   via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
  12   resource "aws_lb" "prtg_lb" {
  ..   
  19 [   internal                   = false
  ..   
  37   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────



waf-load-balancer.tf (terraform)
================================
Tests: 18 (SUCCESSES: 7, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 waf-load-balancer.tf:96
   via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
  87   resource "aws_lb_listener" "waf_lb_listener" {
  ..   
  96 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
 ...   
 104   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 waf-load-balancer.tf:27-52
────────────────────────────────────────
  27 ┌ resource "aws_lb" "waf_lb" {
  28 │ 
  29 │   depends_on = [
  30 │     aws_security_group.waf_lb,
  31 │   ]
  32 │ 
  33 │   name                       = "waf-lb-${var.networking[0].application}"
  34 │   internal                   = false
  35 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 waf-load-balancer.tf:34
   via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
  27   resource "aws_lb" "waf_lb" {
  ..   
  34 [   internal                   = false
  ..   
  52   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


trivy_exitcode=1

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/xhibit-portal

---

Running Trivy in terraform/environments/xhibit-portal
2024-09-17T15:09:28Z INFO [db] Need to update DB
2024-09-17T15:09:28Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:09:31Z INFO [vuln] Vulnerability scanning is enabled
2024-09-17T15:09:31Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-17T15:09:31Z INFO Need to update the built-in policies
2024-09-17T15:09:31Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:09:31Z INFO [secret] Secret scanning is enabled
2024-09-17T15:09:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:09:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:09:31Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="scripts/perf/node_modules"
2024-09-17T15:09:32Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-17T15:09:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z INFO Number of language-specific files num=1
2024-09-17T15:09:35Z INFO [npm] Detecting vulnerabilities...
2024-09-17T15:09:35Z INFO Detected config files num=24

For OSS Maintainers: VEX Notice

If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.55/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

scripts/perf/package-lock.json (npm)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH │ fixed │ 8.5.1 │ 9.0.0 │ jsonwebtoken: Unrestricted key type could lead to legacy │
│ │ │ │ │ │ │ keys usagen │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23539 │
├──────────────┼────────────────┤ │ ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)

Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
importmachine.tf:29
via importmachine.tf:23-30 (egress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
29 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
importmachine.tf:28
via importmachine.tf:23-30 (egress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
28 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:20
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
20 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:19
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

ingestion-load-balancer.tf (terraform)

Tests: 8 (SUCCESSES: 2, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 5, CRITICAL: 1)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ingestion-load-balancer.tf:59
via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
52 resource "aws_elb" "ingestion_lb" {
..
59 [ internal = false
..
97 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
ingestion-load-balancer.tf:26-36
via ingestion-load-balancer.tf:18-40 (aws_security_group_rule.ingestion_lb_allow_web_users)
────────────────────────────────────────
18 resource "aws_security_group_rule" "ingestion_lb_allow_web_users" {
..
26 ┌ cidr_blocks = [
27 │ "10.182.60.51/32", # NLE CGI proxy
28 │ "195.59.75.151/32", # New proxy IPs from Prashanth for testing ingestion NLE DEV
29 │ "195.59.75.152/32", # New proxy IPs from Prashanth for testing ingestion NLE DEV
30 │ "194.33.192.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
31 │ "194.33.196.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
32 └ "194.33.248.0/24", # New proxy IPs from Prashanth for testing ingestion LE PROD
..
────────────────────────────────────────

network-infrastructure.tf (terraform)

Tests: 64 (SUCCESSES: 54, FAILURES: 10, EXCEPTIONS: 0)
Failures: 10 (HIGH: 0, CRITICAL: 10)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:129
via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
120 resource "aws_security_group_rule" "exchange-outbound-all" {
121 depends_on = [aws_security_group.exchange_server]
122 security_group_id = aws_security_group.exchange_server.id
123 type = "egress"
124 description = "allow all"
125 from_port = 0
126 to_port = 0
127 protocol = "-1"
128 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:128
via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
120 resource "aws_security_group_rule" "exchange-outbound-all" {
121 depends_on = [aws_security_group.exchange_server]
122 security_group_id = aws_security_group.exchange_server.id
123 type = "egress"
124 description = "allow all"
125 from_port = 0
126 to_port = 0
127 protocol = "-1"
128 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:694
via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
685 resource "aws_security_group_rule" "iisrelay-outbound-all" {
686 depends_on = [aws_security_group.iisrelay_server]
687 security_group_id = aws_security_group.iisrelay_server.id
688 type = "egress"
689 description = "allow all"
690 from_port = 0
691 to_port = 0
692 protocol = "-1"
693 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:693
via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
685 resource "aws_security_group_rule" "iisrelay-outbound-all" {
686 depends_on = [aws_security_group.iisrelay_server]
687 security_group_id = aws_security_group.iisrelay_server.id
688 type = "egress"
689 description = "allow all"
690 from_port = 0
691 to_port = 0
692 protocol = "-1"
693 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:207
via network-infrastructure.tf:199-208 (aws_security_group_rule.sms-outbound-all-ipv4)
────────────────────────────────────────
199 resource "aws_security_group_rule" "sms-outbound-all-ipv4" {
200 depends_on = [aws_security_group.sms_server]
201 security_group_id = aws_security_group.sms_server.id
202 type = "egress"
203 description = "allow all ipv4"
204 from_port = 0
205 to_port = 0
206 protocol = "-1"
207 [ cidr_blocks = ["0.0.0.0/0"]
208 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
network-infrastructure.tf:218
via network-infrastructure.tf:210-219 (aws_security_group_rule.sms-outbound-all-ipv6)
────────────────────────────────────────
210 resource "aws_security_group_rule" "sms-outbound-all-ipv6" {
211 depends_on = [aws_security_group.sms_server]
212 security_group_id = aws_security_group.sms_server.id
213 type = "egress"
214 description = "allow all ipv6"
215 from_port = 0
216 to_port = 0
217 protocol = "-1"
218 [ ipv6_cidr_blocks = ["::/0"]
219 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:297
via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
288 resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
289 depends_on = [aws_security_group.prtg_lb]
290 security_group_id = aws_security_group.prtg_lb.id
291 type = "ingress"
292 description = "allow web traffic to get to prtg Load Balancer over SSL "
293 from_port = 443
294 to_port = 443
295 protocol = "TCP"
296 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:296
via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
288 resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
289 depends_on = [aws_security_group.prtg_lb]
290 security_group_id = aws_security_group.prtg_lb.id
291 type = "ingress"
292 description = "allow web traffic to get to prtg Load Balancer over SSL "
293 from_port = 443
294 to_port = 443
295 protocol = "TCP"
296 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:285
via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
276 resource "aws_security_group_rule" "waf_lb_allow_web_users" {
277 depends_on = [aws_security_group.waf_lb]
278 security_group_id = aws_security_group.waf_lb.id
279 type = "ingress"
280 description = "allow web traffic to get to ingestion server"
281 from_port = 443
282 to_port = 443
283 protocol = "TCP"
284 cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
network-infrastructure.tf:284
via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
276 resource "aws_security_group_rule" "waf_lb_allow_web_users" {
277 depends_on = [aws_security_group.waf_lb]
278 security_group_id = aws_security_group.waf_lb.id
279 type = "ingress"
280 description = "allow web traffic to get to ingestion server"
281 from_port = 443
282 to_port = 443
283 protocol = "TCP"
284 [ cidr_blocks = ["0.0.0.0/0"]
...
────────────────────────────────────────

prtg-load-balancer.tf (terraform)

Tests: 11 (SUCCESSES: 4, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
prtg-load-balancer.tf:82
via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
73 resource "aws_lb_listener" "prtg_lb_listener" {
..
82 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
90 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
prtg-load-balancer.tf:12-37
────────────────────────────────────────
12 ┌ resource "aws_lb" "prtg_lb" {
13 │
14 │ depends_on = [
15 │ aws_security_group.prtg_lb,
16 │ ]
17 │
18 │ name = "prtg-lb-${var.networking[0].application}"
19 │ internal = false
20 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
prtg-load-balancer.tf:19
via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
12 resource "aws_lb" "prtg_lb" {
..
19 [ internal = false
..
37 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

waf-load-balancer.tf (terraform)

Tests: 18 (SUCCESSES: 7, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
waf-load-balancer.tf:96
via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
87 resource "aws_lb_listener" "waf_lb_listener" {
..
96 [ ssl_policy = "ELBSecurityPolicy-2016-08"
...
104 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
waf-load-balancer.tf:27-52
────────────────────────────────────────
27 ┌ resource "aws_lb" "waf_lb" {
28 │
29 │ depends_on = [
30 │ aws_security_group.waf_lb,
31 │ ]
32 │
33 │ name = "waf-lb-${var.networking[0].application}"
34 │ internal = false
35 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
waf-load-balancer.tf:34
via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
27 resource "aws_lb" "waf_lb" {
..
34 [ internal = false
..
52 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Checkov in terraform/environments/xhibit-portal
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-17 15:09:38,774 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import:None (for external modules, the --download-external-modules flag is required)
2024-09-17 15:09:38,774 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 541, Failed checks: 98, Skipped checks: 8

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:7-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "bastion_linux" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		9  | 
		10 |   providers = {
		11 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		12 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		13 |   }
		14 | 
		15 |   # s3 - used for logs and user ssh public keys
		16 |   bucket_name = "bastion"
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | 
		37 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.build-disk1
	File: /build-server.tf:46-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		46 | resource "aws_ebs_volume" "build-disk1" {
		47 |   depends_on        = [aws_instance.build-server]
		48 |   availability_zone = "${local.region}a"
		49 |   type              = "gp2"
		50 |   encrypted         = true
		51 | 
		52 |   snapshot_id = local.application_data.accounts[local.environment].buildserver-disk-1-snapshot
		53 | 
		54 |   tags = merge(
		55 |     local.tags,
		56 |     {
		57 |       Name = "build-disk1-${local.application_name}"
		58 |     }
		59 |   )
		60 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjim-disk1
	File: /cjim-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjim-disk1" {
		49 |   depends_on        = [aws_instance.cjim-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig04-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjim-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjip-disk1
	File: /cjip-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjip-disk1" {
		49 |   depends_on        = [aws_instance.cjip-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig05-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjip-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.shared_cmk_policy
	File: /cms_key.tf:16-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-baremetal-disk1
	File: /database-server-baremetal.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "database-baremetal-disk1" {
		54 |   count             = local.only_in_production
		55 |   depends_on        = [aws_instance.database-server-baremetal]
		56 |   availability_zone = "${local.region}a"
		57 |   type              = "gp2"
		58 |   encrypted         = true
		59 |   size              = 4000
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "database-baremetal-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.app-baremetal-disk2
	File: /database-server-baremetal.tf:98-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		98  | resource "aws_ebs_volume" "app-baremetal-disk2" {
		99  |   count             = local.only_in_production
		100 |   depends_on        = [aws_instance.database-server-baremetal]
		101 |   availability_zone = "${local.region}a"
		102 |   type              = "gp2"
		103 |   encrypted         = true
		104 |   size              = 2000
		105 | 
		106 |   tags = merge(
		107 |     local.tags,
		108 |     {
		109 |       Name = "app-baremetal-disk2-${local.application_name}"
		110 |     }
		111 |   )
		112 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk1
	File: /database-server.tf:50-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		50 | resource "aws_ebs_volume" "database-disk1" {
		51 |   depends_on        = [aws_instance.database-server]
		52 |   availability_zone = "${local.region}a"
		53 |   type              = "gp2"
		54 |   encrypted         = true
		55 | 
		56 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-1-snapshot
		57 | 
		58 |   tags = merge(
		59 |     local.tags,
		60 |     {
		61 |       Name = "database-disk1-${local.application_name}"
		62 |     }
		63 |   )
		64 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk2
	File: /database-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "database-disk2" {
		78 |   depends_on        = [aws_instance.database-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "database-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk3
	File: /database-server.tf:102-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		102 | resource "aws_ebs_volume" "database-disk3" {
		103 |   depends_on        = [aws_instance.database-server]
		104 |   availability_zone = "${local.region}a"
		105 |   type              = "gp2"
		106 |   encrypted         = true
		107 | 
		108 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-3-snapshot
		109 | 
		110 |   tags = merge(
		111 |     local.tags,
		112 |     {
		113 |       Name = "database-disk3-${local.application_name}"
		114 |     }
		115 |   )
		116 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk4
	File: /database-server.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		126 | resource "aws_ebs_volume" "database-disk4" {
		127 |   depends_on        = [aws_instance.database-server]
		128 |   availability_zone = "${local.region}a"
		129 |   type              = "gp2"
		130 |   encrypted         = true
		131 | 
		132 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-4-snapshot
		133 | 
		134 |   tags = merge(
		135 |     local.tags,
		136 |     {
		137 |       Name = "database-disk4-${local.application_name}"
		138 |     }
		139 |   )
		140 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk5
	File: /database-server.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		150 | resource "aws_ebs_volume" "database-disk5" {
		151 |   depends_on        = [aws_instance.database-server]
		152 |   availability_zone = "${local.region}a"
		153 |   type              = "gp2"
		154 |   encrypted         = true
		155 | 
		156 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-5-snapshot
		157 | 
		158 |   tags = merge(
		159 |     local.tags,
		160 |     {
		161 |       Name = "database-disk5-${local.application_name}"
		162 |     }
		163 |   )
		164 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk6
	File: /database-server.tf:175-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		175 | resource "aws_ebs_volume" "database-disk6" {
		176 |   depends_on        = [aws_instance.database-server]
		177 |   availability_zone = "${local.region}a"
		178 |   type              = "gp2"
		179 |   encrypted         = true
		180 | 
		181 |   #snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-6-snapshot
		182 | 
		183 |   size = 300
		184 | 
		185 |   tags = merge(
		186 |     local.tags,
		187 |     {
		188 |       Name = "database-disk6-${local.application_name}"
		189 |     }
		190 |   )
		191 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk7
	File: /database-server.tf:201-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		201 | resource "aws_ebs_volume" "database-disk7" {
		202 |   depends_on        = [aws_instance.database-server]
		203 |   availability_zone = "${local.region}a"
		204 |   type              = "gp2"
		205 |   encrypted         = true
		206 | 
		207 |   size = 300
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "database-disk7-${local.application_name}"
		213 |     }
		214 |   )
		215 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.infra1-disk1
	File: /domain-controllers.tf:146-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		146 | resource "aws_ebs_volume" "infra1-disk1" {
		147 |   availability_zone = "${local.region}a"
		148 |   type              = "gp2"
		149 |   encrypted         = true
		150 | 
		151 |   snapshot_id = local.application_data.accounts[local.environment].infra1-disk-1-snapshot
		152 | 
		153 |   tags = merge(
		154 |     local.tags,
		155 |     {
		156 |       Name = "infra1-disk1-${local.application_name}"
		157 |     }
		158 |   )
		159 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk1
	File: /exchange-server.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "exchange-disk1" {
		54 |   depends_on        = [aws_instance.exchange-server]
		55 |   availability_zone = "${local.region}a"
		56 |   type              = "gp2"
		57 |   encrypted         = true
		58 | 
		59 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-1-snapshot
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "exchange-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk2
	File: /exchange-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "exchange-disk2" {
		78 |   depends_on        = [aws_instance.exchange-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "exchange-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.disk_xvdf
	File: /importmachine.tf:89-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		89  | resource "aws_ebs_volume" "disk_xvdf" {
		90  |   depends_on        = [aws_instance.importmachine]
		91  |   snapshot_id       = local.application_data.accounts[local.environment].importmachine-data-snapshot
		92  |   availability_zone = "${local.region}a"
		93  |   type              = "gp2"
		94  |   encrypted         = true
		95  |   size              = 6000
		96  | 
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "importmachine-${local.application_name}-disk"
		101 |     }
		102 |   )
		103 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_AWS_213: "Ensure ELB Policy uses only secure protocols"
	FAILED for resource: aws_load_balancer_policy.ingestion-ssl
	File: /ingestion-load-balancer.tf:199-674
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-elb-policy-uses-only-secure-protocols

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.root_snapshot_to_ami
	File: /lambda.tf:57-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		57 | resource "aws_lambda_function" "root_snapshot_to_ami" {
		58 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		59 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		60 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		61 |   filename                       = "lambda/lambda_function.zip"
		62 |   function_name                  = "root_snapshot_to_ami"
		63 |   role                           = aws_iam_role.snapshot_lambda.arn
		64 |   handler                        = "index.lambda_handler"
		65 |   source_code_hash               = data.archive_file.lambda_zip.output_base64sha256
		66 |   runtime                        = "python3.8"
		67 |   timeout                        = "120"
		68 |   reserved_concurrent_executions = 1
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_old_ami
	File: /lambda.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		150 | resource "aws_lambda_function" "delete_old_ami" {
		151 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		152 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		153 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		154 |   filename         = "lambda/delete_old_ami.zip"
		155 |   function_name    = "delete_old_ami"
		156 |   role             = aws_iam_role.delete_snapshot_lambda.arn
		157 |   handler          = "delete_old_ami.lambda_handler"
		158 |   source_code_hash = data.archive_file.delete_lambda_zip.output_base64sha256
		159 |   runtime          = "python3.8"
		160 |   # "large" amount of memory because of the amount of snapshots
		161 |   memory_size                    = "1280"
		162 |   timeout                        = "240"
		163 |   reserved_concurrent_executions = 1
		164 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.sms-inbound-bastion
	File: /network-infrastructure.tf:154-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		154 | resource "aws_security_group_rule" "sms-inbound-bastion" {
		155 |   from_port                = 3389
		156 |   protocol                 = "TCP"
		157 |   security_group_id        = aws_security_group.sms_server.id
		158 |   to_port                  = 3389
		159 |   type                     = "ingress"
		160 |   source_security_group_id = module.bastion_linux.bastion_security_group
		161 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.prtg_acl
	File: /prtg-load-balancer.tf:138-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.sms-server
	File: /sms-server.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "sms-server" {
		2  |   depends_on                  = [aws_security_group.sms_server]
		3  |   instance_type               = "t3.large"
		4  |   ami                         = local.application_data.accounts[local.environment].XHBPRESMS01-ami
		5  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.gary.key_name
		11 |   #key_name                    = aws_key_pair.george.key_name
		12 |   iam_instance_profile = aws_iam_instance_profile.ec2_xp_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted = true
		21 |     tags = {
		22 |       Name = "root-block-device-sms-server-${local.application_name}"
		23 |     }
		24 |   }
		25 | 
		26 |   lifecycle {
		27 |     ignore_changes = [
		28 |       # This prevents clobbering the tags of attached EBS volumes. See
		29 |       # [this bug][1] in the AWS provider upstream.
		30 |       #
		31 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		32 |       volume_tags,
		33 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		34 |       #root_block_device,
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = false
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "sms-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf-load-balancer.tf:224-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.prtg_lb_listener
	File: /prtg-load-balancer.tf:73-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "prtg_lb_listener" {
		74 |   depends_on = [
		75 |     aws_acm_certificate_validation.prtg_lb_cert_validation,
		76 |     aws_lb_target_group.prtg_lb_web_tg
		77 |   ]
		78 | 
		79 |   load_balancer_arn = aws_lb.prtg_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		83 |   certificate_arn   = aws_acm_certificate.prtg_lb_cert.arn
		84 |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		85 | 
		86 |   default_action {
		87 |     type             = "forward"
		88 |     target_group_arn = aws_lb_target_group.prtg_lb_web_tg.arn
		89 |   }
		90 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.waf_lb_listener
	File: /waf-load-balancer.tf:87-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		87  | resource "aws_lb_listener" "waf_lb_listener" {
		88  |   depends_on = [
		89  |     aws_acm_certificate_validation.waf_lb_cert_validation,
		90  |     aws_lb_target_group.waf_lb_web_tg
		91  |   ]
		92  | 
		93  |   load_balancer_arn = aws_lb.waf_lb.arn
		94  |   port              = "443"
		95  |   protocol          = "HTTPS"
		96  |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		97  |   certificate_arn   = aws_acm_certificate.waf_lb_cert.arn
		98  |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		99  | 
		100 |   default_action {
		101 |     type             = "forward"
		102 |     target_group_arn = aws_lb_target_group.waf_lb_web_tg.arn
		103 |   }
		104 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.importmachine
	File: /importmachine.tf:49-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		49 | resource "aws_instance" "importmachine" {
		50 | 
		51 |   depends_on             = [aws_security_group.importmachine]
		52 |   instance_type          = "t3a.large"
		53 |   ami                    = local.application_data.accounts[local.environment].importmachine-ami
		54 |   vpc_security_group_ids = [aws_security_group.importmachine.id]
		55 |   monitoring             = true
		56 |   ebs_optimized          = true
		57 |   subnet_id              = data.aws_subnet.private_az_a.id
		58 |   key_name               = aws_key_pair.george.key_name
		59 | 
		60 |   metadata_options {
		61 |     http_tokens   = "required"
		62 |     http_endpoint = "enabled"
		63 |   }
		64 | 
		65 |   root_block_device {
		66 |     encrypted   = true
		67 |     volume_size = 70
		68 |   }
		69 | 
		70 |   lifecycle {
		71 |     ignore_changes = [
		72 |       # This prevents clobbering the tags of attached EBS volumes. See
		73 |       # [this bug][1] in the AWS provider upstream.
		74 | 
		75 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		76 |       volume_tags,
		77 |     ]
		78 |     prevent_destroy = true
		79 |   }
		80 | 
		81 |   tags = merge(
		82 |     local.tags,
		83 |     {
		84 |       Name = "importmachine-${local.application_name}"
		85 |     }
		86 |   )
		87 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running tflint in terraform/environments/xhibit-portal
Excluding the following checks: terraform_unused_declarations
18 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" is not pinned (terraform_module_pinned_source)

  on terraform/environments/xhibit-portal/importrole.tf line 3:
   3:   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 140:
 140:       "${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 190:
 190:     resources = ["${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/xhibit-portal/lambda.tf line 141:
 141: data "archive_file" "delete_lambda_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 98:
  98:     "${local.application_data.accounts[local.environment].public_dns_name_prtg}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 237:
 237:   log_destination_configs = ["${aws_s3_bucket.prtg_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 257:
 257:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 296:
 296:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 321:
 321:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 328:
 328:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 184:
 184:     "${local.application_data.accounts[local.environment].public_dns_name_web}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 334:
 334:       "${aws_s3_bucket.loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 384:
 384:     resources = ["${aws_s3_bucket.loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 418:
 418:   log_destination_configs = ["${aws_s3_bucket.waf_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 438:
 438:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 477:
 477:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 502:
 502:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 509:
 509:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Trivy in terraform/environments/xhibit-portal
2024-09-17T15:09:28Z	INFO	[db] Need to update DB
2024-09-17T15:09:28Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:09:31Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-17T15:09:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-17T15:09:31Z	INFO	Need to update the built-in policies
2024-09-17T15:09:31Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:09:31Z	INFO	[secret] Secret scanning is enabled
2024-09-17T15:09:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:09:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:09:31Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="scripts/perf/node_modules"
2024-09-17T15:09:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-17T15:09:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:09:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:8-19"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:8-19"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:242-284"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0/main.tf:303-321"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/main.tf:88-118"
2024-09-17T15:09:35Z	INFO	Number of language-specific files	num=1
2024-09-17T15:09:35Z	INFO	[npm] Detecting vulnerabilities...
2024-09-17T15:09:35Z	INFO	Detected config files	num=24

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.55/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


scripts/perf/package-lock.json (npm)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH     │ fixed  │ 8.5.1             │ 9.0.0               │ jsonwebtoken: Unrestricted key type could lead to legacy │
│              │                │          │        │                   │                     │ keys usagen                                              │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-23539               │
├──────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 5.7.1             │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service      │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)
============================
Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 importmachine.tf:29
   via importmachine.tf:23-30 (egress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  29 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 importmachine.tf:28
   via importmachine.tf:23-30 (egress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  28 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:20
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  20 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:19
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  19 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────



ingestion-load-balancer.tf (terraform)
======================================
Tests: 8 (SUCCESSES: 2, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 5, CRITICAL: 1)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ingestion-load-balancer.tf:59
   via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
  52   resource "aws_elb" "ingestion_lb" {
  ..   
  59 [   internal        = false
  ..   
  97   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 ingestion-load-balancer.tf:26-36
   via ingestion-load-balancer.tf:18-40 (aws_security_group_rule.ingestion_lb_allow_web_users)
────────────────────────────────────────
  18   resource "aws_security_group_rule" "ingestion_lb_allow_web_users" {
  ..   
  26 ┌   cidr_blocks = [
  27 │     "10.182.60.51/32",   # NLE CGI proxy 
  28 │     "195.59.75.151/32",  # New proxy IPs from Prashanth for testing ingestion NLE DEV
  29 │     "195.59.75.152/32",  # New proxy IPs from Prashanth for testing ingestion NLE DEV
  30 │     "194.33.192.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  31 │     "194.33.196.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  32 └     "194.33.248.0/24",   # New proxy IPs from Prashanth for testing ingestion LE PROD
  ..   
────────────────────────────────────────



network-infrastructure.tf (terraform)
=====================================
Tests: 64 (SUCCESSES: 54, FAILURES: 10, EXCEPTIONS: 0)
Failures: 10 (HIGH: 0, CRITICAL: 10)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:129
   via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
 120   resource "aws_security_group_rule" "exchange-outbound-all" {
 121     depends_on        = [aws_security_group.exchange_server]
 122     security_group_id = aws_security_group.exchange_server.id
 123     type              = "egress"
 124     description       = "allow all"
 125     from_port         = 0
 126     to_port           = 0
 127     protocol          = "-1"
 128     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:128
   via network-infrastructure.tf:120-130 (aws_security_group_rule.exchange-outbound-all)
────────────────────────────────────────
 120   resource "aws_security_group_rule" "exchange-outbound-all" {
 121     depends_on        = [aws_security_group.exchange_server]
 122     security_group_id = aws_security_group.exchange_server.id
 123     type              = "egress"
 124     description       = "allow all"
 125     from_port         = 0
 126     to_port           = 0
 127     protocol          = "-1"
 128 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:694
   via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
 685   resource "aws_security_group_rule" "iisrelay-outbound-all" {
 686     depends_on        = [aws_security_group.iisrelay_server]
 687     security_group_id = aws_security_group.iisrelay_server.id
 688     type              = "egress"
 689     description       = "allow all"
 690     from_port         = 0
 691     to_port           = 0
 692     protocol          = "-1"
 693     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:693
   via network-infrastructure.tf:685-695 (aws_security_group_rule.iisrelay-outbound-all)
────────────────────────────────────────
 685   resource "aws_security_group_rule" "iisrelay-outbound-all" {
 686     depends_on        = [aws_security_group.iisrelay_server]
 687     security_group_id = aws_security_group.iisrelay_server.id
 688     type              = "egress"
 689     description       = "allow all"
 690     from_port         = 0
 691     to_port           = 0
 692     protocol          = "-1"
 693 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:207
   via network-infrastructure.tf:199-208 (aws_security_group_rule.sms-outbound-all-ipv4)
────────────────────────────────────────
 199   resource "aws_security_group_rule" "sms-outbound-all-ipv4" {
 200     depends_on        = [aws_security_group.sms_server]
 201     security_group_id = aws_security_group.sms_server.id
 202     type              = "egress"
 203     description       = "allow all ipv4"
 204     from_port         = 0
 205     to_port           = 0
 206     protocol          = "-1"
 207 [   cidr_blocks       = ["0.0.0.0/0"]
 208   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 network-infrastructure.tf:218
   via network-infrastructure.tf:210-219 (aws_security_group_rule.sms-outbound-all-ipv6)
────────────────────────────────────────
 210   resource "aws_security_group_rule" "sms-outbound-all-ipv6" {
 211     depends_on        = [aws_security_group.sms_server]
 212     security_group_id = aws_security_group.sms_server.id
 213     type              = "egress"
 214     description       = "allow all ipv6"
 215     from_port         = 0
 216     to_port           = 0
 217     protocol          = "-1"
 218 [   ipv6_cidr_blocks  = ["::/0"]
 219   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:297
   via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
 288   resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
 289     depends_on        = [aws_security_group.prtg_lb]
 290     security_group_id = aws_security_group.prtg_lb.id
 291     type              = "ingress"
 292     description       = "allow web traffic to get to prtg Load Balancer over SSL "
 293     from_port         = 443
 294     to_port           = 443
 295     protocol          = "TCP"
 296     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:296
   via network-infrastructure.tf:288-298 (aws_security_group_rule.prtg_lb_allow_web_users)
────────────────────────────────────────
 288   resource "aws_security_group_rule" "prtg_lb_allow_web_users" {
 289     depends_on        = [aws_security_group.prtg_lb]
 290     security_group_id = aws_security_group.prtg_lb.id
 291     type              = "ingress"
 292     description       = "allow web traffic to get to prtg Load Balancer over SSL "
 293     from_port         = 443
 294     to_port           = 443
 295     protocol          = "TCP"
 296 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:285
   via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
 276   resource "aws_security_group_rule" "waf_lb_allow_web_users" {
 277     depends_on        = [aws_security_group.waf_lb]
 278     security_group_id = aws_security_group.waf_lb.id
 279     type              = "ingress"
 280     description       = "allow web traffic to get to ingestion server"
 281     from_port         = 443
 282     to_port           = 443
 283     protocol          = "TCP"
 284     cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 network-infrastructure.tf:284
   via network-infrastructure.tf:276-286 (aws_security_group_rule.waf_lb_allow_web_users)
────────────────────────────────────────
 276   resource "aws_security_group_rule" "waf_lb_allow_web_users" {
 277     depends_on        = [aws_security_group.waf_lb]
 278     security_group_id = aws_security_group.waf_lb.id
 279     type              = "ingress"
 280     description       = "allow web traffic to get to ingestion server"
 281     from_port         = 443
 282     to_port           = 443
 283     protocol          = "TCP"
 284 [   cidr_blocks       = ["0.0.0.0/0"]
 ...   
────────────────────────────────────────



prtg-load-balancer.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 4, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 prtg-load-balancer.tf:82
   via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
  73   resource "aws_lb_listener" "prtg_lb_listener" {
  ..   
  82 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  90   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 prtg-load-balancer.tf:12-37
────────────────────────────────────────
  12 ┌ resource "aws_lb" "prtg_lb" {
  13 │ 
  14 │   depends_on = [
  15 │     aws_security_group.prtg_lb,
  16 │   ]
  17 │ 
  18 │   name                       = "prtg-lb-${var.networking[0].application}"
  19 │   internal                   = false
  20 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 prtg-load-balancer.tf:19
   via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
  12   resource "aws_lb" "prtg_lb" {
  ..   
  19 [   internal                   = false
  ..   
  37   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────



waf-load-balancer.tf (terraform)
================================
Tests: 18 (SUCCESSES: 7, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 waf-load-balancer.tf:96
   via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
  87   resource "aws_lb_listener" "waf_lb_listener" {
  ..   
  96 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
 ...   
 104   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 waf-load-balancer.tf:27-52
────────────────────────────────────────
  27 ┌ resource "aws_lb" "waf_lb" {
  28 │ 
  29 │   depends_on = [
  30 │     aws_security_group.waf_lb,
  31 │   ]
  32 │ 
  33 │   name                       = "waf-lb-${var.networking[0].application}"
  34 │   internal                   = false
  35 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 waf-load-balancer.tf:34
   via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
  27   resource "aws_lb" "waf_lb" {
  ..   
  34 [   internal                   = false
  ..   
  52   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


trivy_exitcode=1