Bump terraform-aws-modules/kms/aws from 3.1.0 to 3.1.1 in /terraform/environments/analytical-platform-ingestion #8196

dependabot · 2024-10-14T00:28:19Z

Bumps terraform-aws-modules/kms/aws from 3.1.0 to 3.1.1.

Release notes

Sourced from terraform-aws-modules/kms/aws's releases.

v3.1.1

3.1.1 (2024-10-11)

Bug Fixes

Update CI workflow versions to latest (#35) (c248050)

Changelog

Sourced from terraform-aws-modules/kms/aws's changelog.

3.1.1 (2024-10-11)

Bug Fixes

Update CI workflow versions to latest (#35) (c248050)

Commits

c20bffd chore(release): version 3.1.1 [skip ci]
c248050 fix: Update CI workflow versions to latest (#35)
See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

github-actions · 2024-10-14T00:29:43Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-14T00:29:29Z INFO [vulndb] Need to update DB
2024-10-14T00:29:29Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T00:29:29Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:29:31Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:29:31Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T00:29:31Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T00:29:31Z INFO [misconfig] Need to update the built-in checks
2024-10-14T00:29:31Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-14T00:29:31Z INFO [secret] Secret scanning is enabled
2024-10-14T00:29:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T00:29:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T00:29:32Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T00:29:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-14T00:29:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-14T00:29:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:38Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-14T00:29:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-14T00:29:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-14T00:29:38Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-14T00:29:38Z INFO Number of language-specific files num=0
2024-10-14T00:29:38Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 00:29:40,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-14 00:29:40,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 157, Failed checks: 0, Skipped checks: 58


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-14T00:29:29Z	INFO	[vulndb] Need to update DB
2024-10-14T00:29:29Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T00:29:29Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:29:31Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:29:31Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T00:29:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-14T00:29:31Z	INFO	[misconfig] Need to update the built-in checks
2024-10-14T00:29:31Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-14T00:29:31Z	INFO	[secret] Secret scanning is enabled
2024-10-14T00:29:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T00:29:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T00:29:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-14T00:29:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-14T00:29:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-14T00:29:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-14T00:29:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-14T00:29:38Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-14T00:29:38Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-14T00:29:38Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-14T00:29:38Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-14T00:29:38Z	INFO	Number of language-specific files	num=0
2024-10-14T00:29:38Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

github-actions · 2024-10-21T08:21:43Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-21T08:21:30Z INFO [vulndb] Need to update DB
2024-10-21T08:21:30Z INFO [vulndb] Downloading vulnerability DB...
2024-10-21T08:21:30Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-21T08:21:32Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-21T08:21:32Z INFO [vuln] Vulnerability scanning is enabled
2024-10-21T08:21:32Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-21T08:21:32Z INFO [misconfig] Need to update the built-in checks
2024-10-21T08:21:32Z INFO [misconfig] Downloading the built-in checks...
2024-10-21T08:21:33Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 618.964µs, allowed: 44000/minute"
2024-10-21T08:21:33Z INFO [secret] Secret scanning is enabled
2024-10-21T08:21:33Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-21T08:21:33Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-21T08:21:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-21T08:21:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-21T08:21:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-21T08:21:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-21T08:21:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-21T08:21:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-21T08:21:39Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-21T08:21:39Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-21T08:21:39Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-21T08:21:39Z INFO Number of language-specific files num=0
2024-10-21T08:21:39Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────