Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-ifs #8204

dependabot · 2024-10-14T00:40:40Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

Update main.tf by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474

issue/7689 by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544

Bump Go versions by @ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551

Updated template to use dynamic resolution of SSM parameter store value by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

@Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415

@Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

@robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

440a828 Merge pull request #563 from ministryofjustice/feature/1385-resolve-parameter...
9b1804b terraform-docs: automated action
7acb479 updated template to use dynamic resolution of SSM parameter store value
72b6469 Merge pull request #562 from ministryofjustice/dependabot/github_actions/mini...
2cab62f Bump ministryofjustice/github-actions from 18.2.0 to 18.2.1
de00773 Merge pull request #561 from ministryofjustice/dependabot/github_actions/acti...
226a136 Bump actions/upload-artifact from 4.4.2 to 4.4.3
69ed718 Merge pull request #560 from ministryofjustice/dependabot/github_actions/aqua...
32650dd Merge pull request #558 from ministryofjustice/dependabot/github_actions/acti...
55feca3 Merge pull request #559 from ministryofjustice/dependabot/github_actions/acti...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.3.0. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2024-10-14T00:42:06Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-10-14T00:41:55Z INFO [vulndb] Need to update DB
2024-10-14T00:41:55Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T00:41:55Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:41:57Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:41:57Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T00:41:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T00:41:57Z INFO [misconfig] Need to update the built-in checks
2024-10-14T00:41:57Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-14T00:41:57Z INFO [secret] Secret scanning is enabled
2024-10-14T00:41:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T00:41:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T00:41:58Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T00:41:58Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-14T00:41:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T00:42:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T00:42:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T00:42:01Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T00:42:01Z INFO Number of language-specific files num=0
2024-10-14T00:42:01Z INFO Detected config files num=10

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:5-7
────────────────────────────────────────
5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
6 │ name = "lb_5xx_alarm_topic"
7 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 00:42:04,503 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 00:42:04,504 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 00:42:04,504 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 109, Failed checks: 40, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:13-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		13 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		14 |   name = "${local.application_name}-ec2-instance-policy"
		15 | 
		16 |   policy = <<EOF
		17 | {
		18 |     "Version": "2012-10-17",
		19 |     "Statement": [
		20 |         {
		21 |             "Effect": "Allow",
		22 |             "Action": [
		23 |                 "ec2:DescribeTags",
		24 |                 "ecs:CreateCluster",
		25 |                 "ecs:DeregisterContainerInstance",
		26 |                 "ecs:DiscoverPollEndpoint",
		27 |                 "ecs:Poll",
		28 |                 "ecs:RegisterContainerInstance",
		29 |                 "ecs:StartTelemetrySession",
		30 |                 "ecs:UpdateContainerInstancesState",
		31 |                 "ecs:Submit*",
		32 |                 "ecr:GetAuthorizationToken",
		33 |                 "ecr:BatchCheckLayerAvailability",
		34 |                 "ecr:GetDownloadUrlForLayer",
		35 |                 "ecr:BatchGetImage",
		36 |                 "logs:CreateLogGroup",
		37 |                 "logs:CreateLogStream",
		38 |                 "logs:GetLogEvents",
		39 |                 "logs:PutLogEvents",
		40 |                 "logs:DescribeLogGroups",
		41 |                 "logs:DescribeLogStreams",
		42 |                 "logs:PutRetentionPolicy",
		43 |                 "s3:ListBucket",
		44 |                 "s3:*Object*",
		45 |                 "kms:Decrypt",
		46 |                 "kms:Encrypt",
		47 |                 "kms:GenerateDataKey",
		48 |                 "kms:ReEncrypt",
		49 |                 "kms:GenerateDataKey",
		50 |                 "kms:DescribeKey",
		51 |                 "rds:Connect",
		52 |                 "rds:DescribeDBInstances"
		53 |             ],
		54 |             "Resource": "*"
		55 |         }
		56 |     ]
		57 | }
		58 | EOF
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		62 |   name              = "/aws/events/deploymentLogs"
		63 |   retention_in_days = "7"
		64 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:91-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:237-260
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		237 | resource "aws_iam_role_policy" "app_execution" {
		238 |   name = "execution-${var.networking[0].application}"
		239 |   role = aws_iam_role.app_execution.id
		240 | 
		241 |   policy = <<-EOF
		242 |   {
		243 |     "Version": "2012-10-17",
		244 |     "Statement": [
		245 |       {
		246 |            "Action": [
		247 |               "ecr:*",
		248 |               "logs:CreateLogGroup",
		249 |               "logs:CreateLogStream",
		250 |               "logs:PutLogEvents",
		251 |               "logs:DescribeLogStreams",
		252 |               "secretsmanager:GetSecretValue"
		253 |            ],
		254 |            "Resource": "*",
		255 |            "Effect": "Allow"
		256 |       }
		257 |     ]
		258 |   }
		259 |   EOF
		260 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:473-491
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		473 | resource "aws_security_group" "ecs_service" {
		474 |   name_prefix = "ecs-service-sg-"
		475 |   vpc_id      = data.aws_vpc.shared.id
		476 | 
		477 |   ingress {
		478 |     from_port       = 80
		479 |     to_port         = 80
		480 |     protocol        = "tcp"
		481 |     description     = "Allow traffic on port 80 from load balancer"
		482 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		483 |   }
		484 | 
		485 |   egress {
		486 |     from_port   = 0
		487 |     to_port     = 0
		488 |     protocol    = "-1"
		489 |     cidr_blocks = ["0.0.0.0/0"]
		490 |   }
		491 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:536-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		536 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		537 |   name              = "${local.application_name}-ecs"
		538 |   retention_in_days = 30
		539 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.ifs_target_group
	File: /loadbalancer.tf:102-132

		102 | resource "aws_lb_target_group" "ifs_target_group" {
		103 |   name                 = "ifs-target-group"
		104 |   port                 = 80
		105 |   protocol             = "HTTP"
		106 |   vpc_id               = data.aws_vpc.shared.id
		107 |   target_type          = "ip"
		108 |   deregistration_delay = 30
		109 | 
		110 |   stickiness {
		111 |     type = "lb_cookie"
		112 |   }
		113 | 
		114 |   health_check {
		115 |     healthy_threshold   = "5"
		116 |     interval            = "60"
		117 |     protocol            = "HTTP"
		118 |     unhealthy_threshold = "2"
		119 |     matcher             = "200-499"
		120 |     timeout             = "15"
		121 |     path                = "/health"
		122 |   }
		123 | 
		124 |   lifecycle {
		125 |     create_before_destroy = true
		126 |     ignore_changes        = [name]
		127 |   }
		128 | 
		129 |   tags = {
		130 |     Name = "ifs-target-group-${random_string.ifs_target_group_name.result}"
		131 |   }
		132 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.lb_5xx_alarm_topic
	File: /monitoring.tf:5-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		5 | resource "aws_sns_topic" "lb_5xx_alarm_topic" {
		6 |   name = "lb_5xx_alarm_topic"
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:48-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		48 | module "pagerduty_core_alerts" {
		49 |   depends_on = [
		50 |     aws_sns_topic.lb_5xx_alarm_topic
		51 |   ]
		52 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		53 |   sns_topics                = [aws_sns_topic.lb_5xx_alarm_topic.name]
		54 |   pagerduty_integration_key = local.pagerduty_integration_keys["cdpt-ifs-alarms"]
		55 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_lb_sc
	File: /loadbalancer.tf:134-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		134 | resource "aws_security_group" "ifs_lb_sc" {
		135 |   name        = "load balancer security group"
		136 |   description = "control access to the load balancer"
		137 |   vpc_id      = data.aws_vpc.shared.id
		138 | 
		139 |   ingress {
		140 |     description = "allow access on HTTPS"
		141 |     from_port   = 443
		142 |     to_port     = 443
		143 |     protocol    = "tcp"
		144 |     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
		145 |   }
		146 | 
		147 |   egress {
		148 |     description = "Open all outbound ports"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ifs_target_sc
	File: /loadbalancer.tf:156-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		156 | resource "aws_security_group" "ifs_target_sc" {
		157 |   name        = "target security group"
		158 |   description = "allow health check traffic from load balancer"
		159 |   vpc_id      = data.aws_vpc.shared.id
		160 | 
		161 |   ingress {
		162 |     description     = "allow traffic from load balancer"
		163 |     from_port       = 80
		164 |     to_port         = 80
		165 |     protocol        = "tcp"
		166 |     security_groups = [module.lb_access_logs_enabled.security_group.id]
		167 |   }
		168 | 
		169 |   egress {
		170 |     description = "Open all outbound ports"
		171 |     from_port   = 0
		172 |     to_port     = 0
		173 |     protocol    = "-1"
		174 |     cidr_blocks = ["0.0.0.0/0"]
		175 |   }
		176 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 121:
 121:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 125:
 125:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 129:
 129:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 133:
 133:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 406:
 406:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/loadbalancer.tf line 97:
  97: resource "random_string" "ifs_target_group_name" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-10-14T00:41:55Z	INFO	[vulndb] Need to update DB
2024-10-14T00:41:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T00:41:55Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:41:57Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T00:41:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-14T00:41:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-14T00:41:57Z	INFO	[misconfig] Need to update the built-in checks
2024-10-14T00:41:57Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-14T00:41:57Z	INFO	[secret] Secret scanning is enabled
2024-10-14T00:41:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T00:41:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T00:41:58Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-14T00:41:58Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-14T00:41:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-14T00:41:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-14T00:42:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-14T00:42:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T00:42:01Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148"
2024-10-14T00:42:01Z	INFO	Number of language-specific files	num=0
2024-10-14T00:42:01Z	INFO	Detected config files	num=10

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.


See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5 ┌ resource "aws_db_instance" "database" {
   6 │   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7 │   storage_type              = "gp2"
   8 │   engine                    = "sqlserver-web"
   9 │   engine_version            = "14.00.3381.3.v1"
  10 │   instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11 │   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12 │   username                  = local.application_data.accounts[local.environment].db_user
  13 └   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:5-7
────────────────────────────────────────
   5 ┌ resource "aws_sns_topic" "lb_5xx_alarm_topic" {
   6 │   name = "lb_5xx_alarm_topic"
   7 └ }
────────────────────────────────────────


trivy_exitcode=1

dependabot · 2024-10-15T00:53:56Z

Superseded by #8239.

dependabot bot requested a review from a team as a code owner October 14, 2024 00:40

dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Oct 14, 2024

dependabot bot requested a review from a team as a code owner October 14, 2024 00:40

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 14, 2024

dependabot bot closed this Oct 15, 2024

dependabot bot deleted the dependabot/terraform/terraform/environments/cdpt-ifs/bastion_linux--github--ministryofjustice/modernisation-platform-terraform-bastion-linux--v4.2.1-4.3.0 branch October 15, 2024 00:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-ifs #8204

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-ifs #8204

dependabot bot commented on behalf of github Oct 14, 2024

github-actions bot commented Oct 14, 2024

(terraform)

database.tf (terraform)

monitoring.tf (terraform)

dependabot bot commented on behalf of github Oct 15, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-ifs #8204

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/cdpt-ifs #8204

Conversation

dependabot bot commented on behalf of github Oct 14, 2024

v4.3.0

What's New

What's Changed

New Contributors

github-actions bot commented Oct 14, 2024

Trivy Scan Failed

(terraform)

database.tf (terraform)

monitoring.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

dependabot bot commented on behalf of github Oct 15, 2024

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed