Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add acl rules for private and public inbound and outbound traffic #8417

Closed
wants to merge 1 commit into from
Closed

feat: add acl rules for private and public inbound and outbound traffic #8417

wants to merge 1 commit into from

Conversation

tom-webber
Copy link
Contributor

No description provided.

@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 23, 2024
@tom-webber tom-webber had a problem deploying to analytical-platform-ingestion-development October 23, 2024 11:18 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-23T11:19:34Z INFO [vulndb] Need to update DB
2024-10-23T11:19:34Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T11:19:34Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T11:19:36Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T11:19:36Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T11:19:36Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T11:19:36Z INFO [misconfig] Need to update the built-in checks
2024-10-23T11:19:36Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T11:19:36Z INFO [secret] Secret scanning is enabled
2024-10-23T11:19:36Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T11:19:36Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T11:19:37Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T11:19:37Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-23T11:19:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-23T11:19:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-23T11:19:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-23T11:19:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-23T11:19:43Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-23T11:19:43Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-23T11:19:43Z INFO Number of language-specific files num=0
2024-10-23T11:19:43Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,300 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-23 11:19:46,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 162, Failed checks: 0, Skipped checks: 62


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-23T11:19:34Z	INFO	[vulndb] Need to update DB
2024-10-23T11:19:34Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T11:19:34Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T11:19:36Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T11:19:36Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T11:19:36Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T11:19:36Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T11:19:36Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T11:19:36Z	INFO	[secret] Secret scanning is enabled
2024-10-23T11:19:36Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T11:19:36Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T11:19:37Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T11:19:37Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-23T11:19:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-23T11:19:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-23T11:19:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-23T11:19:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-23T11:19:43Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-23T11:19:43Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-23T11:19:43Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-23T11:19:43Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-23T11:19:43Z	INFO	Number of language-specific files	num=0
2024-10-23T11:19:43Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:81-102 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@tom-webber tom-webber closed this Oct 29, 2024
@tom-webber tom-webber deleted the fix/AP-5705-update-networking-rules-for-datasync branch October 29, 2024 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tom-webber