Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-65 Update user data for additional dba steps #8462

Merged
merged 17 commits into from
Nov 1, 2024
Merged

TM-65 Update user data for additional dba steps #8462

merged 17 commits into from
Nov 1, 2024

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Oct 25, 2024

No description provided.

@vc13837 vc13837 requested review from a team as code owners October 25, 2024 12:40
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 25, 2024
@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 25, 2024 12:42 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-25T12:43:02Z INFO [vulndb] Need to update DB
2024-10-25T12:43:02Z INFO [vulndb] Downloading vulnerability DB...
2024-10-25T12:43:02Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-25T12:43:04Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-25T12:43:04Z INFO [vuln] Vulnerability scanning is enabled
2024-10-25T12:43:04Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-25T12:43:04Z INFO [misconfig] Need to update the built-in checks
2024-10-25T12:43:04Z INFO [misconfig] Downloading the built-in checks...
2024-10-25T12:43:04Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 584.155µs, allowed: 44000/minute"
2024-10-25T12:43:04Z INFO [secret] Secret scanning is enabled
2024-10-25T12:43:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-25T12:43:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-25T12:43:05Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-25T12:43:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-25T12:43:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-25T12:43:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-25T12:43:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-25T12:43:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-25T12:43:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-25T12:43:08Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-25T12:43:09Z INFO Number of language-specific files num=0
2024-10-25T12:43:09Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:191
via app_servers.tf:190-192 (metadata_options)
via app_servers.tf:179-211 (aws_instance.app1)
────────────────────────────────────────
179 resource "aws_instance" "app1" {
...
191 [ http_tokens = "optional"
...
211 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:213-243
────────────────────────────────────────
213 ┌ resource "aws_instance" "app2" {
214 │ count = contains(["development", "testing"], local.environment) ? 0 : 1
215 │ ami = local.application_data.accounts[local.environment].app_ami_id
216 │ availability_zone = "eu-west-2a"
217 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
218 │ monitoring = true
219 │ vpc_security_group_ids = [aws_security_group.app.id]
220 │ subnet_id = data.aws_subnet.data_subnets_a.id
221 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:179-211
────────────────────────────────────────
179 ┌ resource "aws_instance" "app1" {
180 │ ami = local.application_data.accounts[local.environment].app_ami_id
181 │ availability_zone = "eu-west-2a"
182 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
183 │ monitoring = true
184 │ vpc_security_group_ids = [aws_security_group.app.id]
185 │ subnet_id = data.aws_subnet.private_subnets_a.id
186 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
187 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:213-243
────────────────────────────────────────
213 ┌ resource "aws_instance" "app2" {
214 │ count = contains(["development", "testing"], local.environment) ? 0 : 1
215 │ ami = local.application_data.accounts[local.environment].app_ami_id
216 │ availability_zone = "eu-west-2a"
217 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
218 │ monitoring = true
219 │ vpc_security_group_ids = [aws_security_group.app.id]
220 │ subnet_id = data.aws_subnet.data_subnets_a.id
221 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170
via concurrent_manager.tf:169-171 (metadata_options)
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
170 [ http_tokens = "optional"
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:158-190
────────────────────────────────────────
158 ┌ resource "aws_instance" "concurrent_manager" {
159 │ ami = local.application_data.accounts[local.environment].cm_ami_id
160 │ availability_zone = "eu-west-2a"
161 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
162 │ monitoring = true
163 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
164 │ subnet_id = data.aws_subnet.private_subnets_a.id
165 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
166 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:196
via database.tf:195-197 (metadata_options)
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
196 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:184-213
────────────────────────────────────────
184 ┌ resource "aws_instance" "database" {
185 │ ami = local.application_data.accounts[local.environment].db_ami_id
186 │ availability_zone = "eu-west-2a"
187 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
188 │ monitoring = true
189 │ vpc_security_group_ids = [aws_security_group.database.id]
190 │ subnet_id = data.aws_subnet.data_subnets_a.id
191 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
192 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-25 12:43:11,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-25 12:43:11,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-25 12:43:11,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:179-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		179 | resource "aws_instance" "app1" {
		180 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		181 |   availability_zone           = "eu-west-2a"
		182 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		183 |   monitoring                  = true
		184 |   vpc_security_group_ids      = [aws_security_group.app.id]
		185 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		186 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		187 |   key_name                    = aws_key_pair.cwa.key_name
		188 |   user_data_base64            = base64encode(local.app_userdata)
		189 |   user_data_replace_on_change = false
		190 |   metadata_options {
		191 |     http_tokens = "optional"
		192 |   }
		193 | 
		194 |   root_block_device {
		195 |     tags = merge(
		196 |       { "instance-scheduling" = "skip-scheduling" },
		197 |       local.tags,
		198 |       { "Name" = "${local.application_name_short}-app1-root" }
		199 |     )
		200 |   }
		201 | 
		202 |   tags = merge(
		203 |     { "instance-scheduling" = "skip-scheduling" },
		204 |     local.tags,
		205 |     { "Name" = local.appserver1_ec2_name },
		206 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		207 |   )
		208 | 
		209 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		210 | 
		211 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:179-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		179 | resource "aws_instance" "app1" {
		180 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		181 |   availability_zone           = "eu-west-2a"
		182 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		183 |   monitoring                  = true
		184 |   vpc_security_group_ids      = [aws_security_group.app.id]
		185 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		186 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		187 |   key_name                    = aws_key_pair.cwa.key_name
		188 |   user_data_base64            = base64encode(local.app_userdata)
		189 |   user_data_replace_on_change = false
		190 |   metadata_options {
		191 |     http_tokens = "optional"
		192 |   }
		193 | 
		194 |   root_block_device {
		195 |     tags = merge(
		196 |       { "instance-scheduling" = "skip-scheduling" },
		197 |       local.tags,
		198 |       { "Name" = "${local.application_name_short}-app1-root" }
		199 |     )
		200 |   }
		201 | 
		202 |   tags = merge(
		203 |     { "instance-scheduling" = "skip-scheduling" },
		204 |     local.tags,
		205 |     { "Name" = local.appserver1_ec2_name },
		206 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		207 |   )
		208 | 
		209 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		210 | 
		211 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:213-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		213 | resource "aws_instance" "app2" {
		214 |   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
		215 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		216 |   availability_zone      = "eu-west-2a"
		217 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		218 |   monitoring             = true
		219 |   vpc_security_group_ids = [aws_security_group.app.id]
		220 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		221 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		222 |   key_name               = aws_key_pair.cwa.key_name
		223 |   #   user_data_base64            = base64encode(local.app_userdata)
		224 |   #   user_data_replace_on_change = true
		225 | 
		226 |   root_block_device {
		227 |     tags = merge(
		228 |       { "instance-scheduling" = "skip-scheduling" },
		229 |       local.tags,
		230 |       { "Name" = "${local.application_name_short}-app2-root" }
		231 |     )
		232 |   }
		233 | 
		234 |   tags = merge(
		235 |     { "instance-scheduling" = "skip-scheduling" },
		236 |     local.tags,
		237 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		238 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		239 |   )
		240 | 
		241 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		242 | 
		243 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:213-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		213 | resource "aws_instance" "app2" {
		214 |   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
		215 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		216 |   availability_zone      = "eu-west-2a"
		217 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		218 |   monitoring             = true
		219 |   vpc_security_group_ids = [aws_security_group.app.id]
		220 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		221 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		222 |   key_name               = aws_key_pair.cwa.key_name
		223 |   #   user_data_base64            = base64encode(local.app_userdata)
		224 |   #   user_data_replace_on_change = true
		225 | 
		226 |   root_block_device {
		227 |     tags = merge(
		228 |       { "instance-scheduling" = "skip-scheduling" },
		229 |       local.tags,
		230 |       { "Name" = "${local.application_name_short}-app2-root" }
		231 |     )
		232 |   }
		233 | 
		234 |   tags = merge(
		235 |     { "instance-scheduling" = "skip-scheduling" },
		236 |     local.tags,
		237 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		238 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		239 |   )
		240 | 
		241 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		242 | 
		243 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:261-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		261 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		262 |   security_group_id = aws_security_group.app.id
		263 |   cidr_ipv4         = "0.0.0.0/0"
		264 |   ip_protocol       = "-1"
		265 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:267-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		267 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		268 |   security_group_id            = aws_security_group.app.id
		269 |   description                  = "SSH from the Bastion"
		270 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		271 |   from_port                    = 22
		272 |   ip_protocol                  = "tcp"
		273 |   to_port                      = 22
		274 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:381-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		381 | resource "aws_ebs_volume" "app1" {
		382 |   availability_zone = "eu-west-2a"
		383 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		384 |   type              = "gp2"
		385 |   encrypted         = true
		386 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		387 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		388 | 
		389 |   lifecycle {
		390 |     ignore_changes = [kms_key_id]
		391 |   }
		392 | 
		393 |   tags = merge(
		394 |     local.tags,
		395 |     { "Name" = "${local.application_name_short}-app1-data" },
		396 |   )
		397 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:405-422
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		405 | resource "aws_ebs_volume" "app2" {
		406 |   count             = contains(["development", "testing"], local.environment) ? 0 : 1
		407 |   availability_zone = "eu-west-2a"
		408 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		409 |   type              = "gp2"
		410 |   encrypted         = true
		411 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		412 |   # snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		413 | 
		414 |   lifecycle {
		415 |     ignore_changes = [kms_key_id]
		416 |   }
		417 | 
		418 |   tags = merge(
		419 |     local.tags,
		420 |     { "Name" = "${local.application_name_short}-app2-data" },
		421 |   )
		422 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-25T12:43:02Z	INFO	[vulndb] Need to update DB
2024-10-25T12:43:02Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-25T12:43:02Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-25T12:43:04Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-25T12:43:04Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-25T12:43:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-25T12:43:04Z	INFO	[misconfig] Need to update the built-in checks
2024-10-25T12:43:04Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-25T12:43:04Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 584.155µs, allowed: 44000/minute"
2024-10-25T12:43:04Z	INFO	[secret] Secret scanning is enabled
2024-10-25T12:43:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-25T12:43:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-25T12:43:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-25T12:43:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-25T12:43:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-25T12:43:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-25T12:43:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-25T12:43:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-25T12:43:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-25T12:43:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-25T12:43:09Z	INFO	Number of language-specific files	num=0
2024-10-25T12:43:09Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:191
   via app_servers.tf:190-192 (metadata_options)
    via app_servers.tf:179-211 (aws_instance.app1)
────────────────────────────────────────
 179   resource "aws_instance" "app1" {
 ...   
 191 [     http_tokens = "optional"
 ...   
 211   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:213-243
────────────────────────────────────────
 213resource "aws_instance" "app2" {
 214 │   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
 215 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 216 │   availability_zone      = "eu-west-2a"
 217 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 218 │   monitoring             = true
 219 │   vpc_security_group_ids = [aws_security_group.app.id]
 220 │   subnet_id              = data.aws_subnet.data_subnets_a.id
 221 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:179-211
────────────────────────────────────────
 179 ┌ resource "aws_instance" "app1" {
 180 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 181 │   availability_zone           = "eu-west-2a"
 182 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 183 │   monitoring                  = true
 184 │   vpc_security_group_ids      = [aws_security_group.app.id]
 185 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 186 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 187 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:213-243
────────────────────────────────────────
 213 ┌ resource "aws_instance" "app2" {
 214 │   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
 215 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 216 │   availability_zone      = "eu-west-2a"
 217 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 218 │   monitoring             = true
 219 │   vpc_security_group_ids = [aws_security_group.app.id]
 220 │   subnet_id              = data.aws_subnet.data_subnets_a.id
 221 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170
   via concurrent_manager.tf:169-171 (metadata_options)
    via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 170 [     http_tokens = "optional"
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:158-190
────────────────────────────────────────
 158 ┌ resource "aws_instance" "concurrent_manager" {
 159 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 160 │   availability_zone           = "eu-west-2a"
 161 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 162 │   monitoring                  = true
 163 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 164 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 165 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 166 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:196
   via database.tf:195-197 (metadata_options)
    via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 196 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:184-213
────────────────────────────────────────
 184 ┌ resource "aws_instance" "database" {
 185 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 186 │   availability_zone           = "eu-west-2a"
 187 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 188 │   monitoring                  = true
 189 │   vpc_security_group_ids      = [aws_security_group.database.id]
 190 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 191 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 192 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 29, 2024 12:39 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-29T12:40:38Z INFO [vulndb] Need to update DB
2024-10-29T12:40:38Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T12:40:38Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T12:40:40Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T12:40:40Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T12:40:40Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T12:40:40Z INFO [misconfig] Need to update the built-in checks
2024-10-29T12:40:40Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-29T12:40:40Z INFO [secret] Secret scanning is enabled
2024-10-29T12:40:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T12:40:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T12:40:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T12:40:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-29T12:40:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-29T12:40:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-29T12:40:45Z INFO Number of language-specific files num=0
2024-10-29T12:40:45Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192
via app_servers.tf:191-193 (metadata_options)
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
192 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:214-244
────────────────────────────────────────
214 ┌ resource "aws_instance" "app2" {
215 │ count = contains(["development", "testing"], local.environment) ? 0 : 1
216 │ ami = local.application_data.accounts[local.environment].app_ami_id
217 │ availability_zone = "eu-west-2a"
218 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
219 │ monitoring = true
220 │ vpc_security_group_ids = [aws_security_group.app.id]
221 │ subnet_id = data.aws_subnet.data_subnets_a.id
222 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:180-212
────────────────────────────────────────
180 ┌ resource "aws_instance" "app1" {
181 │ ami = local.application_data.accounts[local.environment].app_ami_id
182 │ availability_zone = "eu-west-2a"
183 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
184 │ monitoring = true
185 │ vpc_security_group_ids = [aws_security_group.app.id]
186 │ subnet_id = data.aws_subnet.private_subnets_a.id
187 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
188 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:214-244
────────────────────────────────────────
214 ┌ resource "aws_instance" "app2" {
215 │ count = contains(["development", "testing"], local.environment) ? 0 : 1
216 │ ami = local.application_data.accounts[local.environment].app_ami_id
217 │ availability_zone = "eu-west-2a"
218 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
219 │ monitoring = true
220 │ vpc_security_group_ids = [aws_security_group.app.id]
221 │ subnet_id = data.aws_subnet.data_subnets_a.id
222 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170
via concurrent_manager.tf:169-171 (metadata_options)
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
170 [ http_tokens = "optional"
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:158-190
────────────────────────────────────────
158 ┌ resource "aws_instance" "concurrent_manager" {
159 │ ami = local.application_data.accounts[local.environment].cm_ami_id
160 │ availability_zone = "eu-west-2a"
161 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
162 │ monitoring = true
163 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
164 │ subnet_id = data.aws_subnet.private_subnets_a.id
165 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
166 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:196
via database.tf:195-197 (metadata_options)
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
196 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:184-213
────────────────────────────────────────
184 ┌ resource "aws_instance" "database" {
185 │ ami = local.application_data.accounts[local.environment].db_ami_id
186 │ availability_zone = "eu-west-2a"
187 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
188 │ monitoring = true
189 │ vpc_security_group_ids = [aws_security_group.database.id]
190 │ subnet_id = data.aws_subnet.data_subnets_a.id
191 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
192 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-29 12:40:48,592 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 12:40:48,592 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 12:40:48,592 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 12:40:48,621 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-29 12:40:48,621 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   #   user_data_base64            = base64encode(local.app_userdata)
		225 |   #   user_data_replace_on_change = true
		226 | 
		227 |   root_block_device {
		228 |     tags = merge(
		229 |       { "instance-scheduling" = "skip-scheduling" },
		230 |       local.tags,
		231 |       { "Name" = "${local.application_name_short}-app2-root" }
		232 |     )
		233 |   }
		234 | 
		235 |   tags = merge(
		236 |     { "instance-scheduling" = "skip-scheduling" },
		237 |     local.tags,
		238 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		239 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		240 |   )
		241 | 
		242 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		243 | 
		244 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   #   user_data_base64            = base64encode(local.app_userdata)
		225 |   #   user_data_replace_on_change = true
		226 | 
		227 |   root_block_device {
		228 |     tags = merge(
		229 |       { "instance-scheduling" = "skip-scheduling" },
		230 |       local.tags,
		231 |       { "Name" = "${local.application_name_short}-app2-root" }
		232 |     )
		233 |   }
		234 | 
		235 |   tags = merge(
		236 |     { "instance-scheduling" = "skip-scheduling" },
		237 |     local.tags,
		238 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		239 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		240 |   )
		241 | 
		242 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		243 | 
		244 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:262-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		262 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		263 |   security_group_id = aws_security_group.app.id
		264 |   cidr_ipv4         = "0.0.0.0/0"
		265 |   ip_protocol       = "-1"
		266 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:268-275
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		268 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		269 |   security_group_id            = aws_security_group.app.id
		270 |   description                  = "SSH from the Bastion"
		271 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		272 |   from_port                    = 22
		273 |   ip_protocol                  = "tcp"
		274 |   to_port                      = 22
		275 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:382-398
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		382 | resource "aws_ebs_volume" "app1" {
		383 |   availability_zone = "eu-west-2a"
		384 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		385 |   type              = "gp2"
		386 |   encrypted         = true
		387 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		388 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		389 | 
		390 |   lifecycle {
		391 |     ignore_changes = [kms_key_id]
		392 |   }
		393 | 
		394 |   tags = merge(
		395 |     local.tags,
		396 |     { "Name" = "${local.application_name_short}-app1-data" },
		397 |   )
		398 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:406-423
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		406 | resource "aws_ebs_volume" "app2" {
		407 |   count             = contains(["development", "testing"], local.environment) ? 0 : 1
		408 |   availability_zone = "eu-west-2a"
		409 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		410 |   type              = "gp2"
		411 |   encrypted         = true
		412 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		413 |   # snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		414 | 
		415 |   lifecycle {
		416 |     ignore_changes = [kms_key_id]
		417 |   }
		418 | 
		419 |   tags = merge(
		420 |     local.tags,
		421 |     { "Name" = "${local.application_name_short}-app2-data" },
		422 |   )
		423 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/concurrent_manager.tf line 149:
 149: resource "time_sleep" "wait_cm_custom_script" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-29T12:40:38Z	INFO	[vulndb] Need to update DB
2024-10-29T12:40:38Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-29T12:40:38Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T12:40:40Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T12:40:40Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-29T12:40:40Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-29T12:40:40Z	INFO	[misconfig] Need to update the built-in checks
2024-10-29T12:40:40Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-29T12:40:40Z	INFO	[secret] Secret scanning is enabled
2024-10-29T12:40:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T12:40:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T12:40:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-29T12:40:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-29T12:40:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-29T12:40:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-29T12:40:45Z	INFO	Number of language-specific files	num=0
2024-10-29T12:40:45Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192
   via app_servers.tf:191-193 (metadata_options)
    via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 192 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:214-244
────────────────────────────────────────
 214resource "aws_instance" "app2" {
 215 │   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
 216 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 217 │   availability_zone      = "eu-west-2a"
 218 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 219 │   monitoring             = true
 220 │   vpc_security_group_ids = [aws_security_group.app.id]
 221 │   subnet_id              = data.aws_subnet.data_subnets_a.id
 222 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:180-212
────────────────────────────────────────
 180 ┌ resource "aws_instance" "app1" {
 181 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 182 │   availability_zone           = "eu-west-2a"
 183 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 184 │   monitoring                  = true
 185 │   vpc_security_group_ids      = [aws_security_group.app.id]
 186 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 187 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 188 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:214-244
────────────────────────────────────────
 214 ┌ resource "aws_instance" "app2" {
 215 │   count                  = contains(["development", "testing"], local.environment) ? 0 : 1
 216 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 217 │   availability_zone      = "eu-west-2a"
 218 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 219 │   monitoring             = true
 220 │   vpc_security_group_ids = [aws_security_group.app.id]
 221 │   subnet_id              = data.aws_subnet.data_subnets_a.id
 222 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170
   via concurrent_manager.tf:169-171 (metadata_options)
    via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 170 [     http_tokens = "optional"
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:158-190
────────────────────────────────────────
 158 ┌ resource "aws_instance" "concurrent_manager" {
 159 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 160 │   availability_zone           = "eu-west-2a"
 161 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 162 │   monitoring                  = true
 163 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 164 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 165 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 166 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:196
   via database.tf:195-197 (metadata_options)
    via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 196 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:184-213
────────────────────────────────────────
 184 ┌ resource "aws_instance" "database" {
 185 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 186 │   availability_zone           = "eu-west-2a"
 187 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 188 │   monitoring                  = true
 189 │   vpc_security_group_ids      = [aws_security_group.database.id]
 190 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 191 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 192 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 30, 2024 10:34 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T10:35:19Z INFO [vulndb] Need to update DB
2024-10-30T10:35:19Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T10:35:19Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T10:35:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T10:35:22Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T10:35:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T10:35:22Z INFO [misconfig] Need to update the built-in checks
2024-10-30T10:35:22Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T10:35:22Z INFO [secret] Secret scanning is enabled
2024-10-30T10:35:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T10:35:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T10:35:23Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T10:35:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T10:35:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T10:35:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T10:35:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T10:35:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T10:35:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T10:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T10:35:26Z INFO Number of language-specific files num=0
2024-10-30T10:35:26Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:191-193
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
191 ┌ metadata_options {
192 │ http_tokens = "optional"
193 └ }
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:214-244
────────────────────────────────────────
214 ┌ resource "aws_instance" "app2" {
215 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
216 │ ami = local.application_data.accounts[local.environment].app_ami_id
217 │ availability_zone = "eu-west-2a"
218 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
219 │ monitoring = true
220 │ vpc_security_group_ids = [aws_security_group.app.id]
221 │ subnet_id = data.aws_subnet.data_subnets_a.id
222 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:195-201
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
195 ┌ root_block_device {
196 │ tags = merge(
197 │ { "instance-scheduling" = "skip-scheduling" },
198 │ local.tags,
199 │ { "Name" = "${local.application_name_short}-app1-root" }
200 │ )
201 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:227-233
via app_servers.tf:214-244 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
227 ┌ root_block_device {
228 │ tags = merge(
229 │ { "instance-scheduling" = "skip-scheduling" },
230 │ local.tags,
231 │ { "Name" = "${local.application_name_short}-app2-root" }
232 │ )
233 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:169-171
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
169 ┌ metadata_options {
170 │ http_tokens = "optional"
171 └ }
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:173-179
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
173 ┌ root_block_device {
174 │ tags = merge(
175 │ { "instance-scheduling" = "skip-scheduling" },
176 │ local.tags,
177 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
178 │ )
179 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195-197
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
195 ┌ metadata_options {
196 │ http_tokens = "optional"
197 └ }
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:199-205
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
199 ┌ root_block_device {
200 │ tags = merge(
201 │ { "instance-scheduling" = "skip-scheduling" },
202 │ local.tags,
203 │ { "Name" = "${local.application_name_short}-database-root" }
204 │ )
205 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 10:35:28,967 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 10:35:28,967 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 10:35:28,967 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 10:35:28,997 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 10:35:28,997 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 | 
		227 |   root_block_device {
		228 |     tags = merge(
		229 |       { "instance-scheduling" = "skip-scheduling" },
		230 |       local.tags,
		231 |       { "Name" = "${local.application_name_short}-app2-root" }
		232 |     )
		233 |   }
		234 | 
		235 |   tags = merge(
		236 |     { "instance-scheduling" = "skip-scheduling" },
		237 |     local.tags,
		238 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		239 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		240 |   )
		241 | 
		242 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		243 | 
		244 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 | 
		227 |   root_block_device {
		228 |     tags = merge(
		229 |       { "instance-scheduling" = "skip-scheduling" },
		230 |       local.tags,
		231 |       { "Name" = "${local.application_name_short}-app2-root" }
		232 |     )
		233 |   }
		234 | 
		235 |   tags = merge(
		236 |     { "instance-scheduling" = "skip-scheduling" },
		237 |     local.tags,
		238 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		239 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		240 |   )
		241 | 
		242 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		243 | 
		244 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:262-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		262 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		263 |   security_group_id = aws_security_group.app.id
		264 |   cidr_ipv4         = "0.0.0.0/0"
		265 |   ip_protocol       = "-1"
		266 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:268-275
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		268 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		269 |   security_group_id            = aws_security_group.app.id
		270 |   description                  = "SSH from the Bastion"
		271 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		272 |   from_port                    = 22
		273 |   ip_protocol                  = "tcp"
		274 |   to_port                      = 22
		275 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:382-398
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		382 | resource "aws_ebs_volume" "app1" {
		383 |   availability_zone = "eu-west-2a"
		384 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		385 |   type              = "gp2"
		386 |   encrypted         = true
		387 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		388 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		389 | 
		390 |   lifecycle {
		391 |     ignore_changes = [kms_key_id]
		392 |   }
		393 | 
		394 |   tags = merge(
		395 |     local.tags,
		396 |     { "Name" = "${local.application_name_short}-app1-data" },
		397 |   )
		398 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:406-423
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		406 | resource "aws_ebs_volume" "app2" {
		407 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		408 |   availability_zone = "eu-west-2a"
		409 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		410 |   type              = "gp2"
		411 |   encrypted         = true
		412 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		413 |   # snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		414 | 
		415 |   lifecycle {
		416 |     ignore_changes = [kms_key_id]
		417 |   }
		418 | 
		419 |   tags = merge(
		420 |     local.tags,
		421 |     { "Name" = "${local.application_name_short}-app2-data" },
		422 |   )
		423 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/app_servers.tf line 170:
 170: resource "time_sleep" "wait_app_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T10:35:19Z	INFO	[vulndb] Need to update DB
2024-10-30T10:35:19Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T10:35:19Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T10:35:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T10:35:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T10:35:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T10:35:22Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T10:35:22Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T10:35:22Z	INFO	[secret] Secret scanning is enabled
2024-10-30T10:35:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T10:35:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T10:35:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T10:35:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T10:35:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T10:35:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T10:35:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T10:35:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T10:35:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T10:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T10:35:26Z	INFO	Number of language-specific files	num=0
2024-10-30T10:35:26Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:191-193
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 191metadata_options {
 192http_tokens = "optional"
 193 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:214-244
────────────────────────────────────────
 214resource "aws_instance" "app2" {
 215count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
 216ami                    = local.application_data.accounts[local.environment].app_ami_id
 217availability_zone      = "eu-west-2a"
 218instance_type          = local.application_data.accounts[local.environment].app_instance_type
 219monitoring             = true
 220vpc_security_group_ids = [aws_security_group.app.id]
 221subnet_id              = data.aws_subnet.data_subnets_a.id
 222iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:195-201
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 195root_block_device {
 196tags = merge(
 197 │       { "instance-scheduling" = "skip-scheduling" },
 198 │       local.tags,
 199 │       { "Name" = "${local.application_name_short}-app1-root" }
 200 │     )
 201 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:227-233
   via app_servers.tf:214-244 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 227root_block_device {
 228tags = merge(
 229 │       { "instance-scheduling" = "skip-scheduling" },
 230 │       local.tags,
 231 │       { "Name" = "${local.application_name_short}-app2-root" }
 232 │     )
 233 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:169-171
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 169metadata_options {
 170http_tokens = "optional"
 171 └   }
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:173-179
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 173root_block_device {
 174tags = merge(
 175 │       { "instance-scheduling" = "skip-scheduling" },
 176 │       local.tags,
 177 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 178 │     )
 179 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195-197
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 195metadata_options {
 196http_tokens = "optional"
 197 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:199-205
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 199root_block_device {
 200tags = merge(
 201 │       { "instance-scheduling" = "skip-scheduling" },
 202 │       local.tags,
 203 │       { "Name" = "${local.application_name_short}-database-root" }
 204 │     )
 205 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 30, 2024 11:05 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T11:06:14Z INFO [vulndb] Need to update DB
2024-10-30T11:06:14Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T11:06:14Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T11:06:16Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T11:06:16Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T11:06:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T11:06:16Z INFO [misconfig] Need to update the built-in checks
2024-10-30T11:06:16Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T11:06:17Z INFO [secret] Secret scanning is enabled
2024-10-30T11:06:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T11:06:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T11:06:18Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T11:06:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T11:06:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T11:06:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T11:06:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T11:06:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T11:06:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T11:06:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T11:06:22Z INFO Number of language-specific files num=0
2024-10-30T11:06:22Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:191-193
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
191 ┌ metadata_options {
192 │ http_tokens = "optional"
193 └ }
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:226-228
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
226 ┌ metadata_options {
227 │ http_tokens = "optional"
228 └ }
...
247 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:195-201
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
195 ┌ root_block_device {
196 │ tags = merge(
197 │ { "instance-scheduling" = "skip-scheduling" },
198 │ local.tags,
199 │ { "Name" = "${local.application_name_short}-app1-root" }
200 │ )
201 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:230-236
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
230 ┌ root_block_device {
231 │ tags = merge(
232 │ { "instance-scheduling" = "skip-scheduling" },
233 │ local.tags,
234 │ { "Name" = "${local.application_name_short}-app2-root" }
235 │ )
236 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:169-171
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
169 ┌ metadata_options {
170 │ http_tokens = "optional"
171 └ }
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:173-179
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
173 ┌ root_block_device {
174 │ tags = merge(
175 │ { "instance-scheduling" = "skip-scheduling" },
176 │ local.tags,
177 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
178 │ )
179 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195-197
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
195 ┌ metadata_options {
196 │ http_tokens = "optional"
197 └ }
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:199-205
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
199 ┌ root_block_device {
200 │ tags = merge(
201 │ { "instance-scheduling" = "skip-scheduling" },
202 │ local.tags,
203 │ { "Name" = "${local.application_name_short}-database-root" }
204 │ )
205 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 11:06:25,548 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 11:06:25,548 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 11:06:25,548 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 11:06:25,581 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 11:06:25,591 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:265-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		265 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		266 |   security_group_id = aws_security_group.app.id
		267 |   cidr_ipv4         = "0.0.0.0/0"
		268 |   ip_protocol       = "-1"
		269 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:271-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		271 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		272 |   security_group_id            = aws_security_group.app.id
		273 |   description                  = "SSH from the Bastion"
		274 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		275 |   from_port                    = 22
		276 |   ip_protocol                  = "tcp"
		277 |   to_port                      = 22
		278 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:385-401
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		385 | resource "aws_ebs_volume" "app1" {
		386 |   availability_zone = "eu-west-2a"
		387 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		388 |   type              = "gp2"
		389 |   encrypted         = true
		390 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		391 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		392 | 
		393 |   lifecycle {
		394 |     ignore_changes = [kms_key_id]
		395 |   }
		396 | 
		397 |   tags = merge(
		398 |     local.tags,
		399 |     { "Name" = "${local.application_name_short}-app1-data" },
		400 |   )
		401 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:409-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		409 | resource "aws_ebs_volume" "app2" {
		410 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   # snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-app2-data" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/concurrent_manager.tf line 149:
 149: resource "time_sleep" "wait_cm_custom_script" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T11:06:14Z	INFO	[vulndb] Need to update DB
2024-10-30T11:06:14Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T11:06:14Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T11:06:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T11:06:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T11:06:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T11:06:16Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T11:06:16Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T11:06:17Z	INFO	[secret] Secret scanning is enabled
2024-10-30T11:06:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T11:06:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T11:06:18Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T11:06:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T11:06:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T11:06:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T11:06:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T11:06:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T11:06:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T11:06:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T11:06:22Z	INFO	Number of language-specific files	num=0
2024-10-30T11:06:22Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:191-193
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 191metadata_options {
 192http_tokens = "optional"
 193 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:226-228
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 226metadata_options {
 227http_tokens = "optional"
 228 └   }
 ...   
 247   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:195-201
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 195root_block_device {
 196tags = merge(
 197 │       { "instance-scheduling" = "skip-scheduling" },
 198 │       local.tags,
 199 │       { "Name" = "${local.application_name_short}-app1-root" }
 200 │     )
 201 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:230-236
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 230root_block_device {
 231tags = merge(
 232 │       { "instance-scheduling" = "skip-scheduling" },
 233 │       local.tags,
 234 │       { "Name" = "${local.application_name_short}-app2-root" }
 235 │     )
 236 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:169-171
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 169metadata_options {
 170http_tokens = "optional"
 171 └   }
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:173-179
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 173root_block_device {
 174tags = merge(
 175 │       { "instance-scheduling" = "skip-scheduling" },
 176 │       local.tags,
 177 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 178 │     )
 179 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195-197
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 195metadata_options {
 196http_tokens = "optional"
 197 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:199-205
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 199root_block_device {
 200tags = merge(
 201 │       { "instance-scheduling" = "skip-scheduling" },
 202 │       local.tags,
 203 │       { "Name" = "${local.application_name_short}-database-root" }
 204 │     )
 205 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development October 30, 2024 13:58 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T13:59:37Z INFO [vulndb] Need to update DB
2024-10-30T13:59:37Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T13:59:37Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T13:59:39Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T13:59:39Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T13:59:39Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T13:59:39Z INFO [misconfig] Need to update the built-in checks
2024-10-30T13:59:39Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-30T13:59:39Z INFO [secret] Secret scanning is enabled
2024-10-30T13:59:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T13:59:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T13:59:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T13:59:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T13:59:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T13:59:44Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T13:59:45Z INFO Number of language-specific files num=0
2024-10-30T13:59:45Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:191-193
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
191 ┌ metadata_options {
192 │ http_tokens = "optional"
193 └ }
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:226-228
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
226 ┌ metadata_options {
227 │ http_tokens = "optional"
228 └ }
...
247 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:195-201
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
195 ┌ root_block_device {
196 │ tags = merge(
197 │ { "instance-scheduling" = "skip-scheduling" },
198 │ local.tags,
199 │ { "Name" = "${local.application_name_short}-app1-root" }
200 │ )
201 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:230-236
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
230 ┌ root_block_device {
231 │ tags = merge(
232 │ { "instance-scheduling" = "skip-scheduling" },
233 │ local.tags,
234 │ { "Name" = "${local.application_name_short}-app2-root" }
235 │ )
236 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:169-171
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
169 ┌ metadata_options {
170 │ http_tokens = "optional"
171 └ }
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:173-179
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
173 ┌ root_block_device {
174 │ tags = merge(
175 │ { "instance-scheduling" = "skip-scheduling" },
176 │ local.tags,
177 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
178 │ )
179 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195-197
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
195 ┌ metadata_options {
196 │ http_tokens = "optional"
197 └ }
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:199-205
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
199 ┌ root_block_device {
200 │ tags = merge(
201 │ { "instance-scheduling" = "skip-scheduling" },
202 │ local.tags,
203 │ { "Name" = "${local.application_name_short}-database-root" }
204 │ )
205 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 13:59:47,957 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 13:59:47,957 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 13:59:47,957 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 13:59:47,991 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 13:59:47,992 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:265-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		265 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		266 |   security_group_id = aws_security_group.app.id
		267 |   cidr_ipv4         = "0.0.0.0/0"
		268 |   ip_protocol       = "-1"
		269 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:271-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		271 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		272 |   security_group_id            = aws_security_group.app.id
		273 |   description                  = "SSH from the Bastion"
		274 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		275 |   from_port                    = 22
		276 |   ip_protocol                  = "tcp"
		277 |   to_port                      = 22
		278 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:385-401
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		385 | resource "aws_ebs_volume" "app1" {
		386 |   availability_zone = "eu-west-2a"
		387 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		388 |   type              = "gp2"
		389 |   encrypted         = true
		390 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		391 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		392 | 
		393 |   lifecycle {
		394 |     ignore_changes = [kms_key_id]
		395 |   }
		396 | 
		397 |   tags = merge(
		398 |     local.tags,
		399 |     { "Name" = "${local.application_name_short}-app1-data" },
		400 |   )
		401 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:409-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		409 | resource "aws_ebs_volume" "app2" {
		410 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-app2-data" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T13:59:37Z	INFO	[vulndb] Need to update DB
2024-10-30T13:59:37Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T13:59:37Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T13:59:39Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T13:59:39Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T13:59:39Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T13:59:39Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T13:59:39Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-30T13:59:39Z	INFO	[secret] Secret scanning is enabled
2024-10-30T13:59:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T13:59:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T13:59:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T13:59:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T13:59:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T13:59:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T13:59:45Z	INFO	Number of language-specific files	num=0
2024-10-30T13:59:45Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:191-193
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 191metadata_options {
 192http_tokens = "optional"
 193 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:226-228
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 226metadata_options {
 227http_tokens = "optional"
 228 └   }
 ...   
 247   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:195-201
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 195root_block_device {
 196tags = merge(
 197 │       { "instance-scheduling" = "skip-scheduling" },
 198 │       local.tags,
 199 │       { "Name" = "${local.application_name_short}-app1-root" }
 200 │     )
 201 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:230-236
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 230root_block_device {
 231tags = merge(
 232 │       { "instance-scheduling" = "skip-scheduling" },
 233 │       local.tags,
 234 │       { "Name" = "${local.application_name_short}-app2-root" }
 235 │     )
 236 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:169-171
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 169metadata_options {
 170http_tokens = "optional"
 171 └   }
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:173-179
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 173root_block_device {
 174tags = merge(
 175 │       { "instance-scheduling" = "skip-scheduling" },
 176 │       local.tags,
 177 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 178 │     )
 179 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195-197
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 195metadata_options {
 196http_tokens = "optional"
 197 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:199-205
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 199root_block_device {
 200tags = merge(
 201 │       { "instance-scheduling" = "skip-scheduling" },
 202 │       local.tags,
 203 │       { "Name" = "${local.application_name_short}-database-root" }
 204 │     )
 205 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development October 30, 2024 15:16 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T15:17:06Z INFO [vulndb] Need to update DB
2024-10-30T15:17:06Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T15:17:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:17:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:17:08Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T15:17:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T15:17:08Z INFO [misconfig] Need to update the built-in checks
2024-10-30T15:17:08Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T15:17:08Z INFO [secret] Secret scanning is enabled
2024-10-30T15:17:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T15:17:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T15:17:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T15:17:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:17:12Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T15:17:13Z INFO Number of language-specific files num=0
2024-10-30T15:17:13Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:191-193
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
191 ┌ metadata_options {
192 │ http_tokens = "optional"
193 └ }
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:226-228
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
226 ┌ metadata_options {
227 │ http_tokens = "optional"
228 └ }
...
247 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:195-201
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
195 ┌ root_block_device {
196 │ tags = merge(
197 │ { "instance-scheduling" = "skip-scheduling" },
198 │ local.tags,
199 │ { "Name" = "${local.application_name_short}-app1-root" }
200 │ )
201 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:230-236
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
230 ┌ root_block_device {
231 │ tags = merge(
232 │ { "instance-scheduling" = "skip-scheduling" },
233 │ local.tags,
234 │ { "Name" = "${local.application_name_short}-app2-root" }
235 │ )
236 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:169-171
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
169 ┌ metadata_options {
170 │ http_tokens = "optional"
171 └ }
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:173-179
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
173 ┌ root_block_device {
174 │ tags = merge(
175 │ { "instance-scheduling" = "skip-scheduling" },
176 │ local.tags,
177 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
178 │ )
179 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195-197
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
195 ┌ metadata_options {
196 │ http_tokens = "optional"
197 └ }
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:199-205
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
199 ┌ root_block_device {
200 │ tags = merge(
201 │ { "instance-scheduling" = "skip-scheduling" },
202 │ local.tags,
203 │ { "Name" = "${local.application_name_short}-database-root" }
204 │ )
205 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 15:17:15,401 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:17:15,401 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:17:15,402 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:17:15,435 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 15:17:15,435 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2b"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2b"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:265-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		265 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		266 |   security_group_id = aws_security_group.app.id
		267 |   cidr_ipv4         = "0.0.0.0/0"
		268 |   ip_protocol       = "-1"
		269 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:271-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		271 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		272 |   security_group_id            = aws_security_group.app.id
		273 |   description                  = "SSH from the Bastion"
		274 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		275 |   from_port                    = 22
		276 |   ip_protocol                  = "tcp"
		277 |   to_port                      = 22
		278 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:385-401
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		385 | resource "aws_ebs_volume" "app1" {
		386 |   availability_zone = "eu-west-2a"
		387 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		388 |   type              = "gp2"
		389 |   encrypted         = true
		390 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		391 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		392 | 
		393 |   lifecycle {
		394 |     ignore_changes = [kms_key_id]
		395 |   }
		396 | 
		397 |   tags = merge(
		398 |     local.tags,
		399 |     { "Name" = "${local.application_name_short}-app1-data" },
		400 |   )
		401 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:409-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		409 | resource "aws_ebs_volume" "app2" {
		410 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-app2-data" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 175:
 175: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T15:17:06Z	INFO	[vulndb] Need to update DB
2024-10-30T15:17:06Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T15:17:06Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:17:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:17:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T15:17:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T15:17:08Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T15:17:08Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-30T15:17:08Z	INFO	[secret] Secret scanning is enabled
2024-10-30T15:17:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T15:17:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T15:17:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T15:17:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:17:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:17:12Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T15:17:13Z	INFO	Number of language-specific files	num=0
2024-10-30T15:17:13Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:191-193
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 191metadata_options {
 192http_tokens = "optional"
 193 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:226-228
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 226metadata_options {
 227http_tokens = "optional"
 228 └   }
 ...   
 247   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:195-201
   via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 195root_block_device {
 196tags = merge(
 197 │       { "instance-scheduling" = "skip-scheduling" },
 198 │       local.tags,
 199 │       { "Name" = "${local.application_name_short}-app1-root" }
 200 │     )
 201 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:230-236
   via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 230root_block_device {
 231tags = merge(
 232 │       { "instance-scheduling" = "skip-scheduling" },
 233 │       local.tags,
 234 │       { "Name" = "${local.application_name_short}-app2-root" }
 235 │     )
 236 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:169-171
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 169metadata_options {
 170http_tokens = "optional"
 171 └   }
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:173-179
   via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 173root_block_device {
 174tags = merge(
 175 │       { "instance-scheduling" = "skip-scheduling" },
 176 │       local.tags,
 177 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 178 │     )
 179 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195-197
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 195metadata_options {
 196http_tokens = "optional"
 197 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:199-205
   via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 199root_block_device {
 200tags = merge(
 201 │       { "instance-scheduling" = "skip-scheduling" },
 202 │       local.tags,
 203 │       { "Name" = "${local.application_name_short}-database-root" }
 204 │     )
 205 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 30, 2024 15:27 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T15:28:27Z INFO [vulndb] Need to update DB
2024-10-30T15:28:27Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T15:28:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:28:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:28:29Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T15:28:29Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T15:28:29Z INFO [misconfig] Need to update the built-in checks
2024-10-30T15:28:29Z INFO [misconfig] Downloading the built-in checks...
2024-10-30T15:28:29Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 81.241µs, allowed: 44000/minute\n\n"
2024-10-30T15:28:29Z INFO [secret] Secret scanning is enabled
2024-10-30T15:28:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T15:28:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T15:28:30Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T15:28:30Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:28:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:28:32Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T15:28:33Z INFO Number of language-specific files num=0
2024-10-30T15:28:33Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192
via app_servers.tf:191-193 (metadata_options)
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
192 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:227
via app_servers.tf:226-228 (metadata_options)
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
227 [ http_tokens = "optional"
...
247 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:180-212
────────────────────────────────────────
180 ┌ resource "aws_instance" "app1" {
181 │ ami = local.application_data.accounts[local.environment].app_ami_id
182 │ availability_zone = "eu-west-2a"
183 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
184 │ monitoring = true
185 │ vpc_security_group_ids = [aws_security_group.app.id]
186 │ subnet_id = data.aws_subnet.private_subnets_a.id
187 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
188 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:214-247
────────────────────────────────────────
214 ┌ resource "aws_instance" "app2" {
215 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
216 │ ami = local.application_data.accounts[local.environment].app_ami_id
217 │ availability_zone = "eu-west-2b"
218 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
219 │ monitoring = true
220 │ vpc_security_group_ids = [aws_security_group.app.id]
221 │ subnet_id = data.aws_subnet.private_subnets_b.id
222 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170
via concurrent_manager.tf:169-171 (metadata_options)
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
170 [ http_tokens = "optional"
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:158-190
────────────────────────────────────────
158 ┌ resource "aws_instance" "concurrent_manager" {
159 │ ami = local.application_data.accounts[local.environment].cm_ami_id
160 │ availability_zone = "eu-west-2a"
161 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
162 │ monitoring = true
163 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
164 │ subnet_id = data.aws_subnet.private_subnets_a.id
165 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
166 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:196
via database.tf:195-197 (metadata_options)
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
196 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:184-213
────────────────────────────────────────
184 ┌ resource "aws_instance" "database" {
185 │ ami = local.application_data.accounts[local.environment].db_ami_id
186 │ availability_zone = "eu-west-2a"
187 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
188 │ monitoring = true
189 │ vpc_security_group_ids = [aws_security_group.database.id]
190 │ subnet_id = data.aws_subnet.data_subnets_a.id
191 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
192 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 15:28:35,906 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:28:35,906 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:28:35,906 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 15:28:35,932 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 15:28:35,947 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2b"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2b"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:265-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		265 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		266 |   security_group_id = aws_security_group.app.id
		267 |   cidr_ipv4         = "0.0.0.0/0"
		268 |   ip_protocol       = "-1"
		269 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:271-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		271 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		272 |   security_group_id            = aws_security_group.app.id
		273 |   description                  = "SSH from the Bastion"
		274 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		275 |   from_port                    = 22
		276 |   ip_protocol                  = "tcp"
		277 |   to_port                      = 22
		278 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:385-401
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		385 | resource "aws_ebs_volume" "app1" {
		386 |   availability_zone = "eu-west-2a"
		387 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		388 |   type              = "gp2"
		389 |   encrypted         = true
		390 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		391 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		392 | 
		393 |   lifecycle {
		394 |     ignore_changes = [kms_key_id]
		395 |   }
		396 | 
		397 |   tags = merge(
		398 |     local.tags,
		399 |     { "Name" = "${local.application_name_short}-app1-data" },
		400 |   )
		401 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:409-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		409 | resource "aws_ebs_volume" "app2" {
		410 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		411 |   availability_zone = "eu-west-2b"
		412 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-app2-data" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/app_servers.tf line 170:
 170: resource "time_sleep" "wait_app_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T15:28:27Z	INFO	[vulndb] Need to update DB
2024-10-30T15:28:27Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T15:28:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:28:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T15:28:29Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T15:28:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T15:28:29Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T15:28:29Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-30T15:28:29Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 81.241µs, allowed: 44000/minute\n\n"
2024-10-30T15:28:29Z	INFO	[secret] Secret scanning is enabled
2024-10-30T15:28:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T15:28:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T15:28:30Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T15:28:30Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T15:28:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T15:28:32Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T15:28:33Z	INFO	Number of language-specific files	num=0
2024-10-30T15:28:33Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192
   via app_servers.tf:191-193 (metadata_options)
    via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 192 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:227
   via app_servers.tf:226-228 (metadata_options)
    via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 227 [     http_tokens = "optional"
 ...   
 247   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:180-212
────────────────────────────────────────
 180resource "aws_instance" "app1" {
 181 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 182 │   availability_zone           = "eu-west-2a"
 183 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 184 │   monitoring                  = true
 185 │   vpc_security_group_ids      = [aws_security_group.app.id]
 186 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 187 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 188 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:214-247
────────────────────────────────────────
 214 ┌ resource "aws_instance" "app2" {
 215 │   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
 216 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 217 │   availability_zone      = "eu-west-2b"
 218 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 219 │   monitoring             = true
 220 │   vpc_security_group_ids = [aws_security_group.app.id]
 221 │   subnet_id              = data.aws_subnet.private_subnets_b.id
 222 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170
   via concurrent_manager.tf:169-171 (metadata_options)
    via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 170 [     http_tokens = "optional"
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:158-190
────────────────────────────────────────
 158 ┌ resource "aws_instance" "concurrent_manager" {
 159 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 160 │   availability_zone           = "eu-west-2a"
 161 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 162 │   monitoring                  = true
 163 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 164 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 165 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 166 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:196
   via database.tf:195-197 (metadata_options)
    via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 196 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:184-213
────────────────────────────────────────
 184 ┌ resource "aws_instance" "database" {
 185 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 186 │   availability_zone           = "eu-west-2a"
 187 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 188 │   monitoring                  = true
 189 │   vpc_security_group_ids      = [aws_security_group.database.id]
 190 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 191 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 192 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development October 30, 2024 17:09 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T17:10:03Z INFO [vulndb] Need to update DB
2024-10-30T17:10:03Z INFO [vulndb] Downloading vulnerability DB...
2024-10-30T17:10:03Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T17:10:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T17:10:06Z INFO [vuln] Vulnerability scanning is enabled
2024-10-30T17:10:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-30T17:10:06Z INFO [misconfig] Need to update the built-in checks
2024-10-30T17:10:06Z INFO [misconfig] Downloading the built-in checks...
2024-10-30T17:10:06Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:6305306961f35e5295f110df324ec41b25d1b48376b3cb97ea91b3edbbf3c463: TOOMANYREQUESTS: retry-after: 71.972µs, allowed: 44000/minute"
2024-10-30T17:10:06Z INFO [secret] Secret scanning is enabled
2024-10-30T17:10:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T17:10:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T17:10:07Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-30T17:10:07Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-30T17:10:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T17:10:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T17:10:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T17:10:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T17:10:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T17:10:10Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T17:10:11Z INFO Number of language-specific files num=0
2024-10-30T17:10:11Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192
via app_servers.tf:191-193 (metadata_options)
via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
180 resource "aws_instance" "app1" {
...
192 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:227
via app_servers.tf:226-228 (metadata_options)
via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
214 resource "aws_instance" "app2" {
...
227 [ http_tokens = "optional"
...
247 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:180-212
────────────────────────────────────────
180 ┌ resource "aws_instance" "app1" {
181 │ ami = local.application_data.accounts[local.environment].app_ami_id
182 │ availability_zone = "eu-west-2a"
183 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
184 │ monitoring = true
185 │ vpc_security_group_ids = [aws_security_group.app.id]
186 │ subnet_id = data.aws_subnet.private_subnets_a.id
187 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
188 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:214-247
────────────────────────────────────────
214 ┌ resource "aws_instance" "app2" {
215 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
216 │ ami = local.application_data.accounts[local.environment].app_ami_id
217 │ availability_zone = "eu-west-2a"
218 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
219 │ monitoring = true
220 │ vpc_security_group_ids = [aws_security_group.app.id]
221 │ subnet_id = data.aws_subnet.private_subnets_a.id
222 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170
via concurrent_manager.tf:169-171 (metadata_options)
via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
158 resource "aws_instance" "concurrent_manager" {
...
170 [ http_tokens = "optional"
...
190 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:158-190
────────────────────────────────────────
158 ┌ resource "aws_instance" "concurrent_manager" {
159 │ ami = local.application_data.accounts[local.environment].cm_ami_id
160 │ availability_zone = "eu-west-2a"
161 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
162 │ monitoring = true
163 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
164 │ subnet_id = data.aws_subnet.private_subnets_a.id
165 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
166 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:196
via database.tf:195-197 (metadata_options)
via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
184 resource "aws_instance" "database" {
...
196 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:184-213
────────────────────────────────────────
184 ┌ resource "aws_instance" "database" {
185 │ ami = local.application_data.accounts[local.environment].db_ami_id
186 │ availability_zone = "eu-west-2a"
187 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
188 │ monitoring = true
189 │ vpc_security_group_ids = [aws_security_group.database.id]
190 │ subnet_id = data.aws_subnet.data_subnets_a.id
191 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
192 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-30 17:10:14,245 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 17:10:14,245 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 17:10:14,245 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-30 17:10:14,275 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-30 17:10:14,275 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:180-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		180 | resource "aws_instance" "app1" {
		181 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		182 |   availability_zone           = "eu-west-2a"
		183 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		184 |   monitoring                  = true
		185 |   vpc_security_group_ids      = [aws_security_group.app.id]
		186 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		187 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		188 |   key_name                    = aws_key_pair.cwa.key_name
		189 |   user_data_base64            = base64encode(local.app_userdata)
		190 |   user_data_replace_on_change = false
		191 |   metadata_options {
		192 |     http_tokens = "optional"
		193 |   }
		194 | 
		195 |   root_block_device {
		196 |     tags = merge(
		197 |       { "instance-scheduling" = "skip-scheduling" },
		198 |       local.tags,
		199 |       { "Name" = "${local.application_name_short}-app1-root" }
		200 |     )
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     { "instance-scheduling" = "skip-scheduling" },
		205 |     local.tags,
		206 |     { "Name" = local.appserver1_ec2_name },
		207 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		208 |   )
		209 | 
		210 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		211 | 
		212 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:214-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "app2" {
		215 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		216 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		217 |   availability_zone      = "eu-west-2a"
		218 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		219 |   monitoring             = true
		220 |   vpc_security_group_ids = [aws_security_group.app.id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		222 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		223 |   key_name               = aws_key_pair.cwa.key_name
		224 |   user_data_base64       = base64encode(local.app_userdata)
		225 |   user_data_replace_on_change = true
		226 |   metadata_options {
		227 |     http_tokens = "optional"
		228 |   }
		229 | 
		230 |   root_block_device {
		231 |     tags = merge(
		232 |       { "instance-scheduling" = "skip-scheduling" },
		233 |       local.tags,
		234 |       { "Name" = "${local.application_name_short}-app2-root" }
		235 |     )
		236 |   }
		237 | 
		238 |   tags = merge(
		239 |     { "instance-scheduling" = "skip-scheduling" },
		240 |     local.tags,
		241 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		242 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		243 |   )
		244 | 
		245 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		246 | 
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:265-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		265 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		266 |   security_group_id = aws_security_group.app.id
		267 |   cidr_ipv4         = "0.0.0.0/0"
		268 |   ip_protocol       = "-1"
		269 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:271-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		271 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		272 |   security_group_id            = aws_security_group.app.id
		273 |   description                  = "SSH from the Bastion"
		274 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		275 |   from_port                    = 22
		276 |   ip_protocol                  = "tcp"
		277 |   to_port                      = 22
		278 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:158-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		158 | resource "aws_instance" "concurrent_manager" {
		159 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		160 |   availability_zone           = "eu-west-2a"
		161 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		162 |   monitoring                  = true
		163 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		164 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		165 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		166 |   key_name                    = aws_key_pair.cwa.key_name
		167 |   user_data_base64            = base64encode(local.cm_userdata)
		168 |   user_data_replace_on_change = false
		169 |   metadata_options {
		170 |     http_tokens = "optional"
		171 |   }
		172 | 
		173 |   root_block_device {
		174 |     tags = merge(
		175 |       { "instance-scheduling" = "skip-scheduling" },
		176 |       local.tags,
		177 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		178 |     )
		179 |   }
		180 | 
		181 |   tags = merge(
		182 |     { "instance-scheduling" = "skip-scheduling" },
		183 |     local.tags,
		184 |     { "Name" = local.cm_ec2_name },
		185 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		186 |   )
		187 | 
		188 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		189 | 
		190 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:208-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		208 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		209 |   security_group_id = aws_security_group.concurrent_manager.id
		210 |   cidr_ipv4         = "0.0.0.0/0"
		211 |   ip_protocol       = "-1"
		212 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:214-221
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		214 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		215 |   security_group_id            = aws_security_group.concurrent_manager.id
		216 |   description                  = "SSH from the Bastion"
		217 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		218 |   from_port                    = 22
		219 |   ip_protocol                  = "tcp"
		220 |   to_port                      = 22
		221 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:184-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		184 | resource "aws_instance" "database" {
		185 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		186 |   availability_zone           = "eu-west-2a"
		187 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		188 |   monitoring                  = true
		189 |   vpc_security_group_ids      = [aws_security_group.database.id]
		190 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		191 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		192 |   key_name                    = aws_key_pair.cwa.key_name
		193 |   user_data_base64            = base64encode(local.db_userdata)
		194 |   user_data_replace_on_change = false
		195 |   metadata_options {
		196 |     http_tokens = "optional"
		197 |   }
		198 | 
		199 |   root_block_device {
		200 |     tags = merge(
		201 |       { "instance-scheduling" = "skip-scheduling" },
		202 |       local.tags,
		203 |       { "Name" = "${local.application_name_short}-database-root" }
		204 |     )
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     { "instance-scheduling" = "skip-scheduling" },
		209 |     local.tags,
		210 |     { "Name" = local.database_ec2_name }
		211 |   )
		212 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		213 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:236-240
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		236 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		237 |   security_group_id = aws_security_group.database.id
		238 |   cidr_ipv4         = "0.0.0.0/0"
		239 |   ip_protocol       = "-1"
		240 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:242-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		242 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		243 |   security_group_id            = aws_security_group.database.id
		244 |   description                  = "SSH from the Bastion"
		245 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		246 |   from_port                    = 22
		247 |   ip_protocol                  = "tcp"
		248 |   to_port                      = 22
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "Allow Lambda SSH access for backup snapshots"
		254 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:385-401
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		385 | resource "aws_ebs_volume" "app1" {
		386 |   availability_zone = "eu-west-2a"
		387 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		388 |   type              = "gp2"
		389 |   encrypted         = true
		390 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		391 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		392 | 
		393 |   lifecycle {
		394 |     ignore_changes = [kms_key_id]
		395 |   }
		396 | 
		397 |   tags = merge(
		398 |     local.tags,
		399 |     { "Name" = "${local.application_name_short}-app1-data" },
		400 |   )
		401 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:409-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		409 | resource "aws_ebs_volume" "app2" {
		410 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-app2-data" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:245-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		245 | resource "aws_ebs_volume" "concurrent_manager" {
		246 |   availability_zone = "eu-west-2a"
		247 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		248 |   type              = "gp2"
		249 |   encrypted         = true
		250 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		251 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		252 | 
		253 |   lifecycle {
		254 |     ignore_changes = [kms_key_id]
		255 |   }
		256 | 
		257 |   tags = merge(
		258 |     local.tags,
		259 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		260 |   )
		261 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/app_servers.tf line 170:
 170: resource "time_sleep" "wait_app_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-30T17:10:03Z	INFO	[vulndb] Need to update DB
2024-10-30T17:10:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-30T17:10:03Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T17:10:06Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-30T17:10:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-30T17:10:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-30T17:10:06Z	INFO	[misconfig] Need to update the built-in checks
2024-10-30T17:10:06Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-30T17:10:06Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:6305306961f35e5295f110df324ec41b25d1b48376b3cb97ea91b3edbbf3c463: TOOMANYREQUESTS: retry-after: 71.972µs, allowed: 44000/minute"
2024-10-30T17:10:06Z	INFO	[secret] Secret scanning is enabled
2024-10-30T17:10:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-30T17:10:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-30T17:10:07Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-30T17:10:07Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-30T17:10:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-30T17:10:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-30T17:10:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T17:10:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-30T17:10:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-30T17:10:10Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-30T17:10:11Z	INFO	Number of language-specific files	num=0
2024-10-30T17:10:11Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192
   via app_servers.tf:191-193 (metadata_options)
    via app_servers.tf:180-212 (aws_instance.app1)
────────────────────────────────────────
 180   resource "aws_instance" "app1" {
 ...   
 192 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:227
   via app_servers.tf:226-228 (metadata_options)
    via app_servers.tf:214-247 (aws_instance.app2[0])
────────────────────────────────────────
 214   resource "aws_instance" "app2" {
 ...   
 227 [     http_tokens = "optional"
 ...   
 247   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:180-212
────────────────────────────────────────
 180resource "aws_instance" "app1" {
 181 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 182 │   availability_zone           = "eu-west-2a"
 183 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 184 │   monitoring                  = true
 185 │   vpc_security_group_ids      = [aws_security_group.app.id]
 186 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 187 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 188 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:214-247
────────────────────────────────────────
 214 ┌ resource "aws_instance" "app2" {
 215 │   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
 216 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 217 │   availability_zone      = "eu-west-2a"
 218 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 219 │   monitoring             = true
 220 │   vpc_security_group_ids = [aws_security_group.app.id]
 221 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 222 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170
   via concurrent_manager.tf:169-171 (metadata_options)
    via concurrent_manager.tf:158-190 (aws_instance.concurrent_manager)
────────────────────────────────────────
 158   resource "aws_instance" "concurrent_manager" {
 ...   
 170 [     http_tokens = "optional"
 ...   
 190   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:158-190
────────────────────────────────────────
 158 ┌ resource "aws_instance" "concurrent_manager" {
 159 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 160 │   availability_zone           = "eu-west-2a"
 161 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 162 │   monitoring                  = true
 163 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 164 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 165 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 166 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:196
   via database.tf:195-197 (metadata_options)
    via database.tf:184-213 (aws_instance.database)
────────────────────────────────────────
 184   resource "aws_instance" "database" {
 ...   
 196 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:184-213
────────────────────────────────────────
 184 ┌ resource "aws_instance" "database" {
 185 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 186 │   availability_zone           = "eu-west-2a"
 187 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 188 │   monitoring                  = true
 189 │   vpc_security_group_ids      = [aws_security_group.database.id]
 190 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 191 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 192 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 30, 2024 17:17 — with GitHub Actions Inactive
@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 31, 2024 10:10 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T10:10:54Z INFO [vulndb] Need to update DB
2024-10-31T10:10:54Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T10:10:54Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T10:10:56Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T10:10:56Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T10:10:56Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T10:10:56Z INFO [misconfig] Need to update the built-in checks
2024-10-31T10:10:56Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-31T10:10:56Z INFO [secret] Secret scanning is enabled
2024-10-31T10:10:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T10:10:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T10:10:58Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T10:10:58Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T10:10:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T10:10:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T10:10:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T10:10:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T10:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T10:11:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T10:11:01Z INFO Number of language-specific files num=0
2024-10-31T10:11:01Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192-194
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
192 ┌ metadata_options {
193 │ http_tokens = "optional"
194 └ }
...
213 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:227-229
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
227 ┌ metadata_options {
228 │ http_tokens = "optional"
229 └ }
...
248 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:196-202
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
196 ┌ root_block_device {
197 │ tags = merge(
198 │ { "instance-scheduling" = "skip-scheduling" },
199 │ local.tags,
200 │ { "Name" = "${local.application_name_short}-app1-root" }
201 │ )
202 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:231-237
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
231 ┌ root_block_device {
232 │ tags = merge(
233 │ { "instance-scheduling" = "skip-scheduling" },
234 │ local.tags,
235 │ { "Name" = "${local.application_name_short}-app2-root" }
236 │ )
237 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170-172
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
170 ┌ metadata_options {
171 │ http_tokens = "optional"
172 └ }
...
191 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:174-180
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
174 ┌ root_block_device {
175 │ tags = merge(
176 │ { "instance-scheduling" = "skip-scheduling" },
177 │ local.tags,
178 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
179 │ )
180 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 10:11:04,706 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 10:11:04,706 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 10:11:04,706 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 10:11:04,734 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 10:11:04,735 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-402
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     ignore_changes = [kms_key_id]
		396 |   }
		397 | 
		398 |   tags = merge(
		399 |     local.tags,
		400 |     { "Name" = "${local.application_name_short}-app1-data" },
		401 |   )
		402 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:410-427
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "app2" {
		411 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		412 |   availability_zone = "eu-west-2a"
		413 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		414 |   type              = "gp2"
		415 |   encrypted         = true
		416 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		417 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		418 | 
		419 |   lifecycle {
		420 |     ignore_changes = [kms_key_id]
		421 |   }
		422 | 
		423 |   tags = merge(
		424 |     local.tags,
		425 |     { "Name" = "${local.application_name_short}-app2-data" },
		426 |   )
		427 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-262
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     ignore_changes = [kms_key_id]
		256 |   }
		257 | 
		258 |   tags = merge(
		259 |     local.tags,
		260 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		261 |   )
		262 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T10:10:54Z	INFO	[vulndb] Need to update DB
2024-10-31T10:10:54Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T10:10:54Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T10:10:56Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T10:10:56Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T10:10:56Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T10:10:56Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T10:10:56Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-31T10:10:56Z	INFO	[secret] Secret scanning is enabled
2024-10-31T10:10:56Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T10:10:56Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T10:10:58Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T10:10:58Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T10:10:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T10:10:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T10:10:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T10:10:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T10:11:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T10:11:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T10:11:01Z	INFO	Number of language-specific files	num=0
2024-10-31T10:11:01Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192-194
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 192metadata_options {
 193http_tokens = "optional"
 194 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:227-229
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 227metadata_options {
 228http_tokens = "optional"
 229 └   }
 ...   
 248   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:196-202
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 196root_block_device {
 197tags = merge(
 198 │       { "instance-scheduling" = "skip-scheduling" },
 199 │       local.tags,
 200 │       { "Name" = "${local.application_name_short}-app1-root" }
 201 │     )
 202 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:231-237
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 231root_block_device {
 232tags = merge(
 233 │       { "instance-scheduling" = "skip-scheduling" },
 234 │       local.tags,
 235 │       { "Name" = "${local.application_name_short}-app2-root" }
 236 │     )
 237 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170-172
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 170metadata_options {
 171http_tokens = "optional"
 172 └   }
 ...   
 191   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:174-180
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 174root_block_device {
 175tags = merge(
 176 │       { "instance-scheduling" = "skip-scheduling" },
 177 │       local.tags,
 178 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 179 │     )
 180 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 31, 2024 10:59 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T11:00:21Z INFO [vulndb] Need to update DB
2024-10-31T11:00:21Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T11:00:21Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:00:23Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:00:23Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T11:00:23Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T11:00:23Z INFO [misconfig] Need to update the built-in checks
2024-10-31T11:00:23Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T11:00:24Z INFO [secret] Secret scanning is enabled
2024-10-31T11:00:24Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T11:00:24Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T11:00:25Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T11:00:25Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T11:00:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T11:00:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T11:00:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:00:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:00:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:00:27Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T11:00:27Z INFO Number of language-specific files num=0
2024-10-31T11:00:27Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193-195
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
193 ┌ metadata_options {
194 │ http_tokens = "optional"
195 └ }
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228-230
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
228 ┌ metadata_options {
229 │ http_tokens = "optional"
230 └ }
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:197-203
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
197 ┌ root_block_device {
198 │ tags = merge(
199 │ { "instance-scheduling" = "skip-scheduling" },
200 │ local.tags,
201 │ { "Name" = "${local.application_name_short}-app1-root" }
202 │ )
203 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:232-238
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
232 ┌ root_block_device {
233 │ tags = merge(
234 │ { "instance-scheduling" = "skip-scheduling" },
235 │ local.tags,
236 │ { "Name" = "${local.application_name_short}-app2-root" }
237 │ )
238 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171-173
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
171 ┌ metadata_options {
172 │ http_tokens = "optional"
173 └ }
...
192 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:175-181
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
175 ┌ root_block_device {
176 │ tags = merge(
177 │ { "instance-scheduling" = "skip-scheduling" },
178 │ local.tags,
179 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
180 │ )
181 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 11:00:30,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:00:30,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:00:30,261 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:00:30,289 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 11:00:30,289 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:210-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		210 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		211 |   security_group_id = aws_security_group.concurrent_manager.id
		212 |   cidr_ipv4         = "0.0.0.0/0"
		213 |   ip_protocol       = "-1"
		214 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:216-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		216 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		217 |   security_group_id            = aws_security_group.concurrent_manager.id
		218 |   description                  = "SSH from the Bastion"
		219 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		220 |   from_port                    = 22
		221 |   ip_protocol                  = "tcp"
		222 |   to_port                      = 22
		223 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:247-263
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		247 | resource "aws_ebs_volume" "concurrent_manager" {
		248 |   availability_zone = "eu-west-2a"
		249 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		250 |   type              = "gp2"
		251 |   encrypted         = true
		252 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		253 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		254 | 
		255 |   lifecycle {
		256 |     ignore_changes = [kms_key_id]
		257 |   }
		258 | 
		259 |   tags = merge(
		260 |     local.tags,
		261 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		262 |   )
		263 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T11:00:21Z	INFO	[vulndb] Need to update DB
2024-10-31T11:00:21Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T11:00:21Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:00:23Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:00:23Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T11:00:23Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T11:00:23Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T11:00:23Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T11:00:24Z	INFO	[secret] Secret scanning is enabled
2024-10-31T11:00:24Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T11:00:24Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T11:00:25Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T11:00:25Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T11:00:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T11:00:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T11:00:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:00:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:00:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:00:27Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T11:00:27Z	INFO	Number of language-specific files	num=0
2024-10-31T11:00:27Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193-195
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 193metadata_options {
 194http_tokens = "optional"
 195 └   }
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228-230
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 228metadata_options {
 229http_tokens = "optional"
 230 └   }
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:197-203
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 197root_block_device {
 198tags = merge(
 199 │       { "instance-scheduling" = "skip-scheduling" },
 200 │       local.tags,
 201 │       { "Name" = "${local.application_name_short}-app1-root" }
 202 │     )
 203 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:232-238
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 232root_block_device {
 233tags = merge(
 234 │       { "instance-scheduling" = "skip-scheduling" },
 235 │       local.tags,
 236 │       { "Name" = "${local.application_name_short}-app2-root" }
 237 │     )
 238 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171-173
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 171metadata_options {
 172http_tokens = "optional"
 173 └   }
 ...   
 192   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:175-181
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 175root_block_device {
 176tags = merge(
 177 │       { "instance-scheduling" = "skip-scheduling" },
 178 │       local.tags,
 179 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 180 │     )
 181 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 31, 2024 11:30 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T11:30:49Z INFO [vulndb] Need to update DB
2024-10-31T11:30:49Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T11:30:49Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:30:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:30:51Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T11:30:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T11:30:51Z INFO [misconfig] Need to update the built-in checks
2024-10-31T11:30:51Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T11:30:51Z INFO [secret] Secret scanning is enabled
2024-10-31T11:30:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T11:30:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T11:30:53Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T11:30:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:30:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:30:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T11:30:55Z INFO Number of language-specific files num=0
2024-10-31T11:30:55Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193-195
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
193 ┌ metadata_options {
194 │ http_tokens = "optional"
195 └ }
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228-230
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
228 ┌ metadata_options {
229 │ http_tokens = "optional"
230 └ }
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:197-203
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
197 ┌ root_block_device {
198 │ tags = merge(
199 │ { "instance-scheduling" = "skip-scheduling" },
200 │ local.tags,
201 │ { "Name" = "${local.application_name_short}-app1-root" }
202 │ )
203 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:232-238
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
232 ┌ root_block_device {
233 │ tags = merge(
234 │ { "instance-scheduling" = "skip-scheduling" },
235 │ local.tags,
236 │ { "Name" = "${local.application_name_short}-app2-root" }
237 │ )
238 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171-173
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
171 ┌ metadata_options {
172 │ http_tokens = "optional"
173 └ }
...
192 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:175-181
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
175 ┌ root_block_device {
176 │ tags = merge(
177 │ { "instance-scheduling" = "skip-scheduling" },
178 │ local.tags,
179 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
180 │ )
181 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 11:30:58,309 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:30:58,310 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:30:58,310 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 11:30:58,336 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 11:30:58,345 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:210-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		210 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		211 |   security_group_id = aws_security_group.concurrent_manager.id
		212 |   cidr_ipv4         = "0.0.0.0/0"
		213 |   ip_protocol       = "-1"
		214 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:216-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		216 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		217 |   security_group_id            = aws_security_group.concurrent_manager.id
		218 |   description                  = "SSH from the Bastion"
		219 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		220 |   from_port                    = 22
		221 |   ip_protocol                  = "tcp"
		222 |   to_port                      = 22
		223 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:247-263
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		247 | resource "aws_ebs_volume" "concurrent_manager" {
		248 |   availability_zone = "eu-west-2a"
		249 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		250 |   type              = "gp2"
		251 |   encrypted         = true
		252 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		253 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		254 | 
		255 |   lifecycle {
		256 |     ignore_changes = [kms_key_id]
		257 |   }
		258 | 
		259 |   tags = merge(
		260 |     local.tags,
		261 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		262 |   )
		263 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T11:30:49Z	INFO	[vulndb] Need to update DB
2024-10-31T11:30:49Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T11:30:49Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:30:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T11:30:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T11:30:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T11:30:51Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T11:30:51Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T11:30:51Z	INFO	[secret] Secret scanning is enabled
2024-10-31T11:30:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T11:30:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T11:30:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T11:30:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T11:30:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T11:30:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T11:30:55Z	INFO	Number of language-specific files	num=0
2024-10-31T11:30:55Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193-195
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 193metadata_options {
 194http_tokens = "optional"
 195 └   }
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228-230
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 228metadata_options {
 229http_tokens = "optional"
 230 └   }
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:197-203
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 197root_block_device {
 198tags = merge(
 199 │       { "instance-scheduling" = "skip-scheduling" },
 200 │       local.tags,
 201 │       { "Name" = "${local.application_name_short}-app1-root" }
 202 │     )
 203 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:232-238
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 232root_block_device {
 233tags = merge(
 234 │       { "instance-scheduling" = "skip-scheduling" },
 235 │       local.tags,
 236 │       { "Name" = "${local.application_name_short}-app2-root" }
 237 │     )
 238 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171-173
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 171metadata_options {
 172http_tokens = "optional"
 173 └   }
 ...   
 192   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:175-181
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 175root_block_device {
 176tags = merge(
 177 │       { "instance-scheduling" = "skip-scheduling" },
 178 │       local.tags,
 179 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 180 │     )
 181 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 31, 2024 12:27 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T12:28:20Z INFO [vulndb] Need to update DB
2024-10-31T12:28:20Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T12:28:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:28:23Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:28:23Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T12:28:23Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T12:28:23Z INFO [misconfig] Need to update the built-in checks
2024-10-31T12:28:23Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T12:28:23Z INFO [secret] Secret scanning is enabled
2024-10-31T12:28:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T12:28:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T12:28:24Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T12:28:24Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T12:28:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T12:28:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T12:28:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:28:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:28:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:28:27Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T12:28:27Z INFO Number of language-specific files num=0
2024-10-31T12:28:27Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193-195
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
193 ┌ metadata_options {
194 │ http_tokens = "optional"
195 └ }
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228-230
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
228 ┌ metadata_options {
229 │ http_tokens = "optional"
230 └ }
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:197-203
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
197 ┌ root_block_device {
198 │ tags = merge(
199 │ { "instance-scheduling" = "skip-scheduling" },
200 │ local.tags,
201 │ { "Name" = "${local.application_name_short}-app1-root" }
202 │ )
203 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:232-238
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
232 ┌ root_block_device {
233 │ tags = merge(
234 │ { "instance-scheduling" = "skip-scheduling" },
235 │ local.tags,
236 │ { "Name" = "${local.application_name_short}-app2-root" }
237 │ )
238 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:173-175
via concurrent_manager.tf:162-194 (aws_instance.concurrent_manager)
────────────────────────────────────────
162 resource "aws_instance" "concurrent_manager" {
...
173 ┌ metadata_options {
174 │ http_tokens = "optional"
175 └ }
...
194 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:177-183
via concurrent_manager.tf:162-194 (aws_instance.concurrent_manager)
────────────────────────────────────────
162 resource "aws_instance" "concurrent_manager" {
...
177 ┌ root_block_device {
178 │ tags = merge(
179 │ { "instance-scheduling" = "skip-scheduling" },
180 │ local.tags,
181 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
182 │ )
183 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 12:28:30,494 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:28:30,494 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:28:30,495 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:28:30,522 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 12:28:30,523 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:162-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		162 | resource "aws_instance" "concurrent_manager" {
		163 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		164 |   availability_zone           = "eu-west-2a"
		165 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		166 |   monitoring                  = true
		167 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		168 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		169 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		170 |   key_name                    = aws_key_pair.cwa.key_name
		171 |   user_data_base64            = base64encode(local.cm_userdata)
		172 |   user_data_replace_on_change = true
		173 |   metadata_options {
		174 |     http_tokens = "optional"
		175 |   }
		176 | 
		177 |   root_block_device {
		178 |     tags = merge(
		179 |       { "instance-scheduling" = "skip-scheduling" },
		180 |       local.tags,
		181 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		182 |     )
		183 |   }
		184 | 
		185 |   tags = merge(
		186 |     { "instance-scheduling" = "skip-scheduling" },
		187 |     local.tags,
		188 |     { "Name" = local.cm_ec2_name },
		189 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		190 |   )
		191 | 
		192 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		193 | 
		194 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:162-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		162 | resource "aws_instance" "concurrent_manager" {
		163 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		164 |   availability_zone           = "eu-west-2a"
		165 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		166 |   monitoring                  = true
		167 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		168 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		169 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		170 |   key_name                    = aws_key_pair.cwa.key_name
		171 |   user_data_base64            = base64encode(local.cm_userdata)
		172 |   user_data_replace_on_change = true
		173 |   metadata_options {
		174 |     http_tokens = "optional"
		175 |   }
		176 | 
		177 |   root_block_device {
		178 |     tags = merge(
		179 |       { "instance-scheduling" = "skip-scheduling" },
		180 |       local.tags,
		181 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		182 |     )
		183 |   }
		184 | 
		185 |   tags = merge(
		186 |     { "instance-scheduling" = "skip-scheduling" },
		187 |     local.tags,
		188 |     { "Name" = local.cm_ec2_name },
		189 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		190 |   )
		191 | 
		192 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		193 | 
		194 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		212 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		213 |   security_group_id = aws_security_group.concurrent_manager.id
		214 |   cidr_ipv4         = "0.0.0.0/0"
		215 |   ip_protocol       = "-1"
		216 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:218-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		218 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		219 |   security_group_id            = aws_security_group.concurrent_manager.id
		220 |   description                  = "SSH from the Bastion"
		221 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		222 |   from_port                    = 22
		223 |   ip_protocol                  = "tcp"
		224 |   to_port                      = 22
		225 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:249-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		249 | resource "aws_ebs_volume" "concurrent_manager" {
		250 |   availability_zone = "eu-west-2a"
		251 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		252 |   type              = "gp2"
		253 |   encrypted         = true
		254 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		255 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		256 | 
		257 |   lifecycle {
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T12:28:20Z	INFO	[vulndb] Need to update DB
2024-10-31T12:28:20Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T12:28:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:28:23Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:28:23Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T12:28:23Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T12:28:23Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T12:28:23Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-31T12:28:23Z	INFO	[secret] Secret scanning is enabled
2024-10-31T12:28:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T12:28:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T12:28:24Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T12:28:24Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T12:28:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T12:28:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T12:28:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:28:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:28:26Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:28:27Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T12:28:27Z	INFO	Number of language-specific files	num=0
2024-10-31T12:28:27Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193-195
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 193metadata_options {
 194http_tokens = "optional"
 195 └   }
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228-230
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 228metadata_options {
 229http_tokens = "optional"
 230 └   }
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:197-203
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 197root_block_device {
 198tags = merge(
 199 │       { "instance-scheduling" = "skip-scheduling" },
 200 │       local.tags,
 201 │       { "Name" = "${local.application_name_short}-app1-root" }
 202 │     )
 203 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:232-238
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 232root_block_device {
 233tags = merge(
 234 │       { "instance-scheduling" = "skip-scheduling" },
 235 │       local.tags,
 236 │       { "Name" = "${local.application_name_short}-app2-root" }
 237 │     )
 238 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:173-175
   via concurrent_manager.tf:162-194 (aws_instance.concurrent_manager)
────────────────────────────────────────
 162   resource "aws_instance" "concurrent_manager" {
 ...   
 173metadata_options {
 174http_tokens = "optional"
 175 └   }
 ...   
 194   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:177-183
   via concurrent_manager.tf:162-194 (aws_instance.concurrent_manager)
────────────────────────────────────────
 162   resource "aws_instance" "concurrent_manager" {
 ...   
 177root_block_device {
 178tags = merge(
 179 │       { "instance-scheduling" = "skip-scheduling" },
 180 │       local.tags,
 181 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 182 │     )
 183 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development October 31, 2024 12:50 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T12:50:38Z INFO [vulndb] Need to update DB
2024-10-31T12:50:38Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T12:50:38Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:50:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:50:41Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T12:50:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T12:50:41Z INFO [misconfig] Need to update the built-in checks
2024-10-31T12:50:41Z INFO [misconfig] Downloading the built-in checks...
2024-10-31T12:50:41Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 806.57µs, allowed: 44000/minute\n\n"
2024-10-31T12:50:41Z INFO [secret] Secret scanning is enabled
2024-10-31T12:50:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T12:50:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T12:50:42Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T12:50:42Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T12:50:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T12:50:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T12:50:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:50:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:50:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:50:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T12:50:45Z INFO Number of language-specific files num=0
2024-10-31T12:50:45Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:194
via app_servers.tf:193-195 (metadata_options)
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
194 [ http_tokens = "optional"
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:229
via app_servers.tf:228-230 (metadata_options)
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
229 [ http_tokens = "optional"
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:182-214
────────────────────────────────────────
182 ┌ resource "aws_instance" "app1" {
183 │ ami = local.application_data.accounts[local.environment].app_ami_id
184 │ availability_zone = "eu-west-2a"
185 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
186 │ monitoring = true
187 │ vpc_security_group_ids = [aws_security_group.app.id]
188 │ subnet_id = data.aws_subnet.private_subnets_a.id
189 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
190 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:216-249
────────────────────────────────────────
216 ┌ resource "aws_instance" "app2" {
217 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
218 │ ami = local.application_data.accounts[local.environment].app_ami_id
219 │ availability_zone = "eu-west-2a"
220 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
221 │ monitoring = true
222 │ vpc_security_group_ids = [aws_security_group.app.id]
223 │ subnet_id = data.aws_subnet.private_subnets_a.id
224 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:172
via concurrent_manager.tf:171-173 (metadata_options)
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
172 [ http_tokens = "optional"
...
192 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:160-192
────────────────────────────────────────
160 ┌ resource "aws_instance" "concurrent_manager" {
161 │ ami = local.application_data.accounts[local.environment].cm_ami_id
162 │ availability_zone = "eu-west-2a"
163 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
164 │ monitoring = true
165 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
166 │ subnet_id = data.aws_subnet.private_subnets_a.id
167 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
168 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 12:50:48,664 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:50:48,664 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:50:48,664 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-31 12:50:48,694 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 12:50:48,694 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:210-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		210 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		211 |   security_group_id = aws_security_group.concurrent_manager.id
		212 |   cidr_ipv4         = "0.0.0.0/0"
		213 |   ip_protocol       = "-1"
		214 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:216-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		216 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		217 |   security_group_id            = aws_security_group.concurrent_manager.id
		218 |   description                  = "SSH from the Bastion"
		219 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		220 |   from_port                    = 22
		221 |   ip_protocol                  = "tcp"
		222 |   to_port                      = 22
		223 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:247-263
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		247 | resource "aws_ebs_volume" "concurrent_manager" {
		248 |   availability_zone = "eu-west-2a"
		249 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		250 |   type              = "gp2"
		251 |   encrypted         = true
		252 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		253 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		254 | 
		255 |   lifecycle {
		256 |     ignore_changes = [kms_key_id]
		257 |   }
		258 | 
		259 |   tags = merge(
		260 |     local.tags,
		261 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		262 |   )
		263 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-10-31T12:50:38Z	INFO	[vulndb] Need to update DB
2024-10-31T12:50:38Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T12:50:38Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:50:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T12:50:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T12:50:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T12:50:41Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T12:50:41Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-31T12:50:41Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 806.57µs, allowed: 44000/minute\n\n"
2024-10-31T12:50:41Z	INFO	[secret] Secret scanning is enabled
2024-10-31T12:50:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T12:50:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T12:50:42Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T12:50:42Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T12:50:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-31T12:50:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-31T12:50:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:50:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-31T12:50:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-31T12:50:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-31T12:50:45Z	INFO	Number of language-specific files	num=0
2024-10-31T12:50:45Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:194
   via app_servers.tf:193-195 (metadata_options)
    via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 194 [     http_tokens = "optional"
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:229
   via app_servers.tf:228-230 (metadata_options)
    via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 229 [     http_tokens = "optional"
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:182-214
────────────────────────────────────────
 182resource "aws_instance" "app1" {
 183 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 184 │   availability_zone           = "eu-west-2a"
 185 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 186 │   monitoring                  = true
 187 │   vpc_security_group_ids      = [aws_security_group.app.id]
 188 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 189 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 190 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:216-249
────────────────────────────────────────
 216 ┌ resource "aws_instance" "app2" {
 217 │   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
 218 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 219 │   availability_zone      = "eu-west-2a"
 220 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 221 │   monitoring             = true
 222 │   vpc_security_group_ids = [aws_security_group.app.id]
 223 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 224 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:172
   via concurrent_manager.tf:171-173 (metadata_options)
    via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 172 [     http_tokens = "optional"
 ...   
 192   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:160-192
────────────────────────────────────────
 160 ┌ resource "aws_instance" "concurrent_manager" {
 161 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 162 │   availability_zone           = "eu-west-2a"
 163 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 164 │   monitoring                  = true
 165 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 166 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 167 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 168 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development November 1, 2024 09:32 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 1, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T09:33:00Z INFO [vulndb] Need to update DB
2024-11-01T09:33:00Z INFO [vulndb] Downloading vulnerability DB...
2024-11-01T09:33:00Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T09:33:02Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T09:33:02Z INFO [vuln] Vulnerability scanning is enabled
2024-11-01T09:33:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-01T09:33:02Z INFO [misconfig] Need to update the built-in checks
2024-11-01T09:33:02Z INFO [misconfig] Downloading the built-in checks...
2024-11-01T09:33:02Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:c2b4fe1cd51083ede5606a38fb24e7fafb06fd2632c9cf6d9c63f5a80a6c67dc: TOOMANYREQUESTS: retry-after: 226.974µs, allowed: 44000/minute"
2024-11-01T09:33:02Z INFO [secret] Secret scanning is enabled
2024-11-01T09:33:02Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T09:33:02Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T09:33:04Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-01T09:33:04Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T09:33:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T09:33:06Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T09:33:06Z INFO Number of language-specific files num=0
2024-11-01T09:33:06Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:194
via app_servers.tf:193-195 (metadata_options)
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
194 [ http_tokens = "optional"
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:229
via app_servers.tf:228-230 (metadata_options)
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
229 [ http_tokens = "optional"
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:182-214
────────────────────────────────────────
182 ┌ resource "aws_instance" "app1" {
183 │ ami = local.application_data.accounts[local.environment].app_ami_id
184 │ availability_zone = "eu-west-2a"
185 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
186 │ monitoring = true
187 │ vpc_security_group_ids = [aws_security_group.app.id]
188 │ subnet_id = data.aws_subnet.private_subnets_a.id
189 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
190 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:216-249
────────────────────────────────────────
216 ┌ resource "aws_instance" "app2" {
217 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
218 │ ami = local.application_data.accounts[local.environment].app_ami_id
219 │ availability_zone = "eu-west-2a"
220 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
221 │ monitoring = true
222 │ vpc_security_group_ids = [aws_security_group.app.id]
223 │ subnet_id = data.aws_subnet.private_subnets_a.id
224 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:172
via concurrent_manager.tf:171-173 (metadata_options)
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
172 [ http_tokens = "optional"
...
192 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:160-192
────────────────────────────────────────
160 ┌ resource "aws_instance" "concurrent_manager" {
161 │ ami = local.application_data.accounts[local.environment].cm_ami_id
162 │ availability_zone = "eu-west-2a"
163 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
164 │ monitoring = true
165 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
166 │ subnet_id = data.aws_subnet.private_subnets_a.id
167 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
168 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-01 09:33:09,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 09:33:09,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 09:33:09,430 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 09:33:09,461 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-01 09:33:09,461 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:210-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		210 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		211 |   security_group_id = aws_security_group.concurrent_manager.id
		212 |   cidr_ipv4         = "0.0.0.0/0"
		213 |   ip_protocol       = "-1"
		214 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:216-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		216 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		217 |   security_group_id            = aws_security_group.concurrent_manager.id
		218 |   description                  = "SSH from the Bastion"
		219 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		220 |   from_port                    = 22
		221 |   ip_protocol                  = "tcp"
		222 |   to_port                      = 22
		223 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:247-263
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		247 | resource "aws_ebs_volume" "concurrent_manager" {
		248 |   availability_zone = "eu-west-2a"
		249 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		250 |   type              = "gp2"
		251 |   encrypted         = true
		252 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		253 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		254 | 
		255 |   lifecycle {
		256 |     ignore_changes = [kms_key_id]
		257 |   }
		258 | 
		259 |   tags = merge(
		260 |     local.tags,
		261 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		262 |   )
		263 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T09:33:00Z	INFO	[vulndb] Need to update DB
2024-11-01T09:33:00Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-01T09:33:00Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T09:33:02Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T09:33:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-01T09:33:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-01T09:33:02Z	INFO	[misconfig] Need to update the built-in checks
2024-11-01T09:33:02Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-01T09:33:02Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:c2b4fe1cd51083ede5606a38fb24e7fafb06fd2632c9cf6d9c63f5a80a6c67dc: TOOMANYREQUESTS: retry-after: 226.974µs, allowed: 44000/minute"
2024-11-01T09:33:02Z	INFO	[secret] Secret scanning is enabled
2024-11-01T09:33:02Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T09:33:02Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T09:33:04Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-01T09:33:04Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T09:33:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T09:33:06Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T09:33:06Z	INFO	Number of language-specific files	num=0
2024-11-01T09:33:06Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:194
   via app_servers.tf:193-195 (metadata_options)
    via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 194 [     http_tokens = "optional"
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:229
   via app_servers.tf:228-230 (metadata_options)
    via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 229 [     http_tokens = "optional"
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:182-214
────────────────────────────────────────
 182resource "aws_instance" "app1" {
 183 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 184 │   availability_zone           = "eu-west-2a"
 185 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 186 │   monitoring                  = true
 187 │   vpc_security_group_ids      = [aws_security_group.app.id]
 188 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 189 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 190 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:216-249
────────────────────────────────────────
 216 ┌ resource "aws_instance" "app2" {
 217 │   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
 218 │   ami                    = local.application_data.accounts[local.environment].app_ami_id
 219 │   availability_zone      = "eu-west-2a"
 220 │   instance_type          = local.application_data.accounts[local.environment].app_instance_type
 221 │   monitoring             = true
 222 │   vpc_security_group_ids = [aws_security_group.app.id]
 223 │   subnet_id              = data.aws_subnet.private_subnets_a.id
 224 └   iam_instance_profile   = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "scripts" {
 102 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:172
   via concurrent_manager.tf:171-173 (metadata_options)
    via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 172 [     http_tokens = "optional"
 ...   
 192   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:160-192
────────────────────────────────────────
 160 ┌ resource "aws_instance" "concurrent_manager" {
 161 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 162 │   availability_zone           = "eu-west-2a"
 163 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 164 │   monitoring                  = true
 165 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 166 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 167 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 168 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development November 1, 2024 10:14 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 1, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T10:15:16Z INFO [vulndb] Need to update DB
2024-11-01T10:15:16Z INFO [vulndb] Downloading vulnerability DB...
2024-11-01T10:15:16Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T10:15:18Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T10:15:18Z INFO [vuln] Vulnerability scanning is enabled
2024-11-01T10:15:18Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-01T10:15:18Z INFO [misconfig] Need to update the built-in checks
2024-11-01T10:15:18Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-01T10:15:18Z INFO [secret] Secret scanning is enabled
2024-11-01T10:15:18Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T10:15:18Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T10:15:19Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-01T10:15:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-01T10:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T10:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T10:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T10:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T10:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T10:15:22Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T10:15:23Z INFO Number of language-specific files num=0
2024-11-01T10:15:23Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193-195
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
193 ┌ metadata_options {
194 │ http_tokens = "optional"
195 └ }
...
214 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228-230
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
228 ┌ metadata_options {
229 │ http_tokens = "optional"
230 └ }
...
249 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:197-203
via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
182 resource "aws_instance" "app1" {
...
197 ┌ root_block_device {
198 │ tags = merge(
199 │ { "instance-scheduling" = "skip-scheduling" },
200 │ local.tags,
201 │ { "Name" = "${local.application_name_short}-app1-root" }
202 │ )
203 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:232-238
via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
216 resource "aws_instance" "app2" {
...
232 ┌ root_block_device {
233 │ tags = merge(
234 │ { "instance-scheduling" = "skip-scheduling" },
235 │ local.tags,
236 │ { "Name" = "${local.application_name_short}-app2-root" }
237 │ )
238 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171-173
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
171 ┌ metadata_options {
172 │ http_tokens = "optional"
173 └ }
...
192 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:175-181
via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
160 resource "aws_instance" "concurrent_manager" {
...
175 ┌ root_block_device {
176 │ tags = merge(
177 │ { "instance-scheduling" = "skip-scheduling" },
178 │ local.tags,
179 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
180 │ )
181 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-01 10:15:25,855 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 10:15:25,855 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 10:15:25,855 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 10:15:25,883 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-01 10:15:25,883 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:182-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		182 | resource "aws_instance" "app1" {
		183 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		184 |   availability_zone           = "eu-west-2a"
		185 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		186 |   monitoring                  = true
		187 |   vpc_security_group_ids      = [aws_security_group.app.id]
		188 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		189 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		190 |   key_name                    = aws_key_pair.cwa.key_name
		191 |   user_data_base64            = base64encode(local.app_userdata)
		192 |   user_data_replace_on_change = true
		193 |   metadata_options {
		194 |     http_tokens = "optional"
		195 |   }
		196 | 
		197 |   root_block_device {
		198 |     tags = merge(
		199 |       { "instance-scheduling" = "skip-scheduling" },
		200 |       local.tags,
		201 |       { "Name" = "${local.application_name_short}-app1-root" }
		202 |     )
		203 |   }
		204 | 
		205 |   tags = merge(
		206 |     { "instance-scheduling" = "skip-scheduling" },
		207 |     local.tags,
		208 |     { "Name" = local.appserver1_ec2_name },
		209 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		210 |   )
		211 | 
		212 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		213 | 
		214 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:216-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		216 | resource "aws_instance" "app2" {
		217 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		218 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		219 |   availability_zone      = "eu-west-2a"
		220 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		221 |   monitoring             = true
		222 |   vpc_security_group_ids = [aws_security_group.app.id]
		223 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		224 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		225 |   key_name               = aws_key_pair.cwa.key_name
		226 |   user_data_base64       = base64encode(local.app_userdata)
		227 |   user_data_replace_on_change = false
		228 |   metadata_options {
		229 |     http_tokens = "optional"
		230 |   }
		231 | 
		232 |   root_block_device {
		233 |     tags = merge(
		234 |       { "instance-scheduling" = "skip-scheduling" },
		235 |       local.tags,
		236 |       { "Name" = "${local.application_name_short}-app2-root" }
		237 |     )
		238 |   }
		239 | 
		240 |   tags = merge(
		241 |     { "instance-scheduling" = "skip-scheduling" },
		242 |     local.tags,
		243 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		244 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		245 |   )
		246 | 
		247 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		248 | 
		249 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:267-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		267 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		268 |   security_group_id = aws_security_group.app.id
		269 |   cidr_ipv4         = "0.0.0.0/0"
		270 |   ip_protocol       = "-1"
		271 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:273-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		273 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		274 |   security_group_id            = aws_security_group.app.id
		275 |   description                  = "SSH from the Bastion"
		276 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		277 |   from_port                    = 22
		278 |   ip_protocol                  = "tcp"
		279 |   to_port                      = 22
		280 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:160-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		160 | resource "aws_instance" "concurrent_manager" {
		161 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		162 |   availability_zone           = "eu-west-2a"
		163 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		164 |   monitoring                  = true
		165 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		166 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		167 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		168 |   key_name                    = aws_key_pair.cwa.key_name
		169 |   user_data_base64            = base64encode(local.cm_userdata)
		170 |   user_data_replace_on_change = true
		171 |   metadata_options {
		172 |     http_tokens = "optional"
		173 |   }
		174 | 
		175 |   root_block_device {
		176 |     tags = merge(
		177 |       { "instance-scheduling" = "skip-scheduling" },
		178 |       local.tags,
		179 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		180 |     )
		181 |   }
		182 | 
		183 |   tags = merge(
		184 |     { "instance-scheduling" = "skip-scheduling" },
		185 |     local.tags,
		186 |     { "Name" = local.cm_ec2_name },
		187 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		188 |   )
		189 | 
		190 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		191 | 
		192 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:210-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		210 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		211 |   security_group_id = aws_security_group.concurrent_manager.id
		212 |   cidr_ipv4         = "0.0.0.0/0"
		213 |   ip_protocol       = "-1"
		214 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:216-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		216 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		217 |   security_group_id            = aws_security_group.concurrent_manager.id
		218 |   description                  = "SSH from the Bastion"
		219 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		220 |   from_port                    = 22
		221 |   ip_protocol                  = "tcp"
		222 |   to_port                      = 22
		223 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:387-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		387 | resource "aws_ebs_volume" "app1" {
		388 |   availability_zone = "eu-west-2a"
		389 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		390 |   type              = "gp2"
		391 |   encrypted         = true
		392 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		393 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		394 | 
		395 |   lifecycle {
		396 |     ignore_changes = [kms_key_id]
		397 |   }
		398 | 
		399 |   tags = merge(
		400 |     local.tags,
		401 |     { "Name" = "${local.application_name_short}-app1-data" },
		402 |   )
		403 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:411-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		411 | resource "aws_ebs_volume" "app2" {
		412 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		413 |   availability_zone = "eu-west-2a"
		414 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		415 |   type              = "gp2"
		416 |   encrypted         = true
		417 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		418 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		419 | 
		420 |   lifecycle {
		421 |     ignore_changes = [kms_key_id]
		422 |   }
		423 | 
		424 |   tags = merge(
		425 |     local.tags,
		426 |     { "Name" = "${local.application_name_short}-app2-data" },
		427 |   )
		428 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:247-263
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		247 | resource "aws_ebs_volume" "concurrent_manager" {
		248 |   availability_zone = "eu-west-2a"
		249 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		250 |   type              = "gp2"
		251 |   encrypted         = true
		252 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		253 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		254 | 
		255 |   lifecycle {
		256 |     ignore_changes = [kms_key_id]
		257 |   }
		258 | 
		259 |   tags = merge(
		260 |     local.tags,
		261 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		262 |   )
		263 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/concurrent_manager.tf line 151:
 151: resource "time_sleep" "wait_cm_custom_script" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T10:15:16Z	INFO	[vulndb] Need to update DB
2024-11-01T10:15:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-01T10:15:16Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T10:15:18Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T10:15:18Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-01T10:15:18Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-01T10:15:18Z	INFO	[misconfig] Need to update the built-in checks
2024-11-01T10:15:18Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-01T10:15:18Z	INFO	[secret] Secret scanning is enabled
2024-11-01T10:15:18Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T10:15:18Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T10:15:19Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-01T10:15:19Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-01T10:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T10:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T10:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T10:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T10:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T10:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T10:15:23Z	INFO	Number of language-specific files	num=0
2024-11-01T10:15:23Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193-195
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 193metadata_options {
 194http_tokens = "optional"
 195 └   }
 ...   
 214   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228-230
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 228metadata_options {
 229http_tokens = "optional"
 230 └   }
 ...   
 249   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:197-203
   via app_servers.tf:182-214 (aws_instance.app1)
────────────────────────────────────────
 182   resource "aws_instance" "app1" {
 ...   
 197root_block_device {
 198tags = merge(
 199 │       { "instance-scheduling" = "skip-scheduling" },
 200 │       local.tags,
 201 │       { "Name" = "${local.application_name_short}-app1-root" }
 202 │     )
 203 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:232-238
   via app_servers.tf:216-249 (aws_instance.app2[0])
────────────────────────────────────────
 216   resource "aws_instance" "app2" {
 ...   
 232root_block_device {
 233tags = merge(
 234 │       { "instance-scheduling" = "skip-scheduling" },
 235 │       local.tags,
 236 │       { "Name" = "${local.application_name_short}-app2-root" }
 237 │     )
 238 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171-173
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 171metadata_options {
 172http_tokens = "optional"
 173 └   }
 ...   
 192   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:175-181
   via concurrent_manager.tf:160-192 (aws_instance.concurrent_manager)
────────────────────────────────────────
 160   resource "aws_instance" "concurrent_manager" {
 ...   
 175root_block_device {
 176tags = merge(
 177 │       { "instance-scheduling" = "skip-scheduling" },
 178 │       local.tags,
 179 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 180 │     )
 181 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development November 1, 2024 15:28 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 1, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T15:29:03Z INFO [vulndb] Need to update DB
2024-11-01T15:29:03Z INFO [vulndb] Downloading vulnerability DB...
2024-11-01T15:29:03Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:29:05Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:29:05Z INFO [vuln] Vulnerability scanning is enabled
2024-11-01T15:29:05Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-01T15:29:05Z INFO [misconfig] Need to update the built-in checks
2024-11-01T15:29:05Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-01T15:29:06Z INFO [secret] Secret scanning is enabled
2024-11-01T15:29:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T15:29:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T15:29:08Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-01T15:29:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-01T15:29:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T15:29:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T15:29:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:29:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:29:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:29:11Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T15:29:11Z INFO Number of language-specific files num=0
2024-11-01T15:29:11Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192-194
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
192 ┌ metadata_options {
193 │ http_tokens = "optional"
194 └ }
...
213 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:227-229
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
227 ┌ metadata_options {
228 │ http_tokens = "optional"
229 └ }
...
248 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:196-202
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
196 ┌ root_block_device {
197 │ tags = merge(
198 │ { "instance-scheduling" = "skip-scheduling" },
199 │ local.tags,
200 │ { "Name" = "${local.application_name_short}-app1-root" }
201 │ )
202 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:231-237
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
231 ┌ root_block_device {
232 │ tags = merge(
233 │ { "instance-scheduling" = "skip-scheduling" },
234 │ local.tags,
235 │ { "Name" = "${local.application_name_short}-app2-root" }
236 │ )
237 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170-172
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
170 ┌ metadata_options {
171 │ http_tokens = "optional"
172 └ }
...
191 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:174-180
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
174 ┌ root_block_device {
175 │ tags = merge(
176 │ { "instance-scheduling" = "skip-scheduling" },
177 │ local.tags,
178 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
179 │ )
180 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-01 15:29:14,534 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:29:14,534 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:29:14,534 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:29:14,558 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-01 15:29:14,558 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-402
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   # lifecycle {
		395 |   #   ignore_changes = [kms_key_id]
		396 |   # }
		397 | 
		398 |   tags = merge(
		399 |     local.tags,
		400 |     { "Name" = "${local.application_name_short}-app1-data" },
		401 |   )
		402 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:410-427
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "app2" {
		411 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		412 |   availability_zone = "eu-west-2a"
		413 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		414 |   type              = "gp2"
		415 |   encrypted         = true
		416 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		417 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		418 | 
		419 |   lifecycle {
		420 |     ignore_changes = [kms_key_id]
		421 |   }
		422 | 
		423 |   tags = merge(
		424 |     local.tags,
		425 |     { "Name" = "${local.application_name_short}-app2-data" },
		426 |   )
		427 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-262
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   # lifecycle {
		255 |   #   ignore_changes = [kms_key_id]
		256 |   # }
		257 | 
		258 |   tags = merge(
		259 |     local.tags,
		260 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		261 |   )
		262 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T15:29:03Z	INFO	[vulndb] Need to update DB
2024-11-01T15:29:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-01T15:29:03Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:29:05Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:29:05Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-01T15:29:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-01T15:29:05Z	INFO	[misconfig] Need to update the built-in checks
2024-11-01T15:29:05Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-01T15:29:06Z	INFO	[secret] Secret scanning is enabled
2024-11-01T15:29:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T15:29:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T15:29:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-01T15:29:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-01T15:29:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T15:29:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T15:29:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:29:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:29:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:29:11Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T15:29:11Z	INFO	Number of language-specific files	num=0
2024-11-01T15:29:11Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192-194
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 192metadata_options {
 193http_tokens = "optional"
 194 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:227-229
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 227metadata_options {
 228http_tokens = "optional"
 229 └   }
 ...   
 248   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:196-202
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 196root_block_device {
 197tags = merge(
 198 │       { "instance-scheduling" = "skip-scheduling" },
 199 │       local.tags,
 200 │       { "Name" = "${local.application_name_short}-app1-root" }
 201 │     )
 202 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:231-237
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 231root_block_device {
 232tags = merge(
 233 │       { "instance-scheduling" = "skip-scheduling" },
 234 │       local.tags,
 235 │       { "Name" = "${local.application_name_short}-app2-root" }
 236 │     )
 237 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170-172
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 170metadata_options {
 171http_tokens = "optional"
 172 └   }
 ...   
 191   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:174-180
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 174root_block_device {
 175tags = merge(
 176 │       { "instance-scheduling" = "skip-scheduling" },
 177 │       local.tags,
 178 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 179 │     )
 180 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 1, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T15:33:06Z INFO [vulndb] Need to update DB
2024-11-01T15:33:06Z INFO [vulndb] Downloading vulnerability DB...
2024-11-01T15:33:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:33:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:33:08Z INFO [vuln] Vulnerability scanning is enabled
2024-11-01T15:33:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-01T15:33:08Z INFO [misconfig] Need to update the built-in checks
2024-11-01T15:33:08Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-01T15:33:09Z INFO [secret] Secret scanning is enabled
2024-11-01T15:33:09Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T15:33:09Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T15:33:10Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-01T15:33:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:33:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:33:14Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T15:33:14Z INFO Number of language-specific files num=0
2024-11-01T15:33:14Z INFO Detected config files num=9

alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:192-194
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
192 ┌ metadata_options {
193 │ http_tokens = "optional"
194 └ }
...
213 }
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:227-229
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
227 ┌ metadata_options {
228 │ http_tokens = "optional"
229 └ }
...
248 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:196-202
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
196 ┌ root_block_device {
197 │ tags = merge(
198 │ { "instance-scheduling" = "skip-scheduling" },
199 │ local.tags,
200 │ { "Name" = "${local.application_name_short}-app1-root" }
201 │ )
202 └ }
...
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:231-237
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
231 ┌ root_block_device {
232 │ tags = merge(
233 │ { "instance-scheduling" = "skip-scheduling" },
234 │ local.tags,
235 │ { "Name" = "${local.application_name_short}-app2-root" }
236 │ )
237 └ }
...
────────────────────────────────────────

backup_lambda.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "scripts" {
102 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
106 │ )
107 └ }
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:170-172
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
170 ┌ metadata_options {
171 │ http_tokens = "optional"
172 └ }
...
191 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:174-180
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
174 ┌ root_block_device {
175 │ tags = merge(
176 │ { "instance-scheduling" = "skip-scheduling" },
177 │ local.tags,
178 │ { "Name" = "${local.application_name_short}-concurrent-manager-root" }
179 │ )
180 └ }
...
────────────────────────────────────────

database.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:194-196
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
194 ┌ metadata_options {
195 │ http_tokens = "optional"
196 └ }
...
212 }
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:198-204
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
198 ┌ root_block_device {
199 │ tags = merge(
200 │ { "instance-scheduling" = "skip-scheduling" },
201 │ local.tags,
202 │ { "Name" = "${local.application_name_short}-database-root" }
203 │ )
204 └ }
...
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-01 15:33:17,135 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:33:17,135 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:33:17,135 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-01 15:33:17,167 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-01 15:33:17,177 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 405, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.external
	File: /alb.tf:188-216

		188 | resource "aws_lb_target_group" "external" {
		189 |   name                          = "${local.application_name_short}-TargetGroup"
		190 |   port                          = 8050
		191 |   protocol                      = "HTTP"
		192 |   vpc_id                        = data.aws_vpc.shared.id
		193 |   deregistration_delay          = 10
		194 |   load_balancing_algorithm_type = "least_outstanding_requests"
		195 |   health_check {
		196 |     interval            = 15
		197 |     path                = "/OA_HTML/AppsLocalLogin.jsp"
		198 |     protocol            = "HTTP"
		199 |     timeout             = 5
		200 |     healthy_threshold   = 2
		201 |     unhealthy_threshold = 3
		202 |   }
		203 |   stickiness {
		204 |     enabled = true
		205 |     type    = "lb_cookie"
		206 | 
		207 |   }
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "${local.application_name}-TargetGroup"
		213 |     },
		214 |   )
		215 | 
		216 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                  = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                    = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone      = "eu-west-2a"
		219 |   instance_type          = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring             = true
		221 |   vpc_security_group_ids = [aws_security_group.app.id]
		222 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile   = aws_iam_instance_profile.cwa.id
		224 |   key_name               = aws_key_pair.cwa.key_name
		225 |   user_data_base64       = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.scripts.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name_short}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.scripts.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.scripts.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name_short}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /database.tf:250-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		250 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		251 |   security_group_id            = aws_security_group.database.id
		252 |   description                  = "Allow Lambda SSH access for backup snapshots"
		253 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		254 |   from_port                    = 22
		255 |   ip_protocol                  = "tcp"
		256 |   to_port                      = 22
		257 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.scripts.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:419-435
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		419 | resource "aws_ebs_volume" "oradata" {
		420 |   availability_zone = "eu-west-2a"
		421 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		422 |   type              = "gp2"
		423 |   encrypted         = true
		424 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		425 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		426 | 
		427 |   lifecycle {
		428 |     ignore_changes = [kms_key_id]
		429 |   }
		430 | 
		431 |   tags = merge(
		432 |     local.tags,
		433 |     { "Name" = "${local.application_name_short}-database-oradata" },
		434 |   )
		435 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:443-459
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		443 | resource "aws_ebs_volume" "oracle" {
		444 |   availability_zone = "eu-west-2a"
		445 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		446 |   type              = "gp2"
		447 |   encrypted         = true
		448 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		449 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		450 | 
		451 |   lifecycle {
		452 |     ignore_changes = [kms_key_id]
		453 |   }
		454 | 
		455 |   tags = merge(
		456 |     local.tags,
		457 |     { "Name" = "${local.application_name_short}-database-oracle" },
		458 |   )
		459 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:467-483
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		467 | resource "aws_ebs_volume" "oraarch" {
		468 |   availability_zone = "eu-west-2a"
		469 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		470 |   type              = "gp2"
		471 |   encrypted         = true
		472 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		473 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		474 | 
		475 |   lifecycle {
		476 |     ignore_changes = [kms_key_id]
		477 |   }
		478 | 
		479 |   tags = merge(
		480 |     local.tags,
		481 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		482 |   )
		483 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:491-507
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		491 | resource "aws_ebs_volume" "oratmp" {
		492 |   availability_zone = "eu-west-2a"
		493 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		494 |   type              = "gp2"
		495 |   encrypted         = true
		496 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		497 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		498 | 
		499 |   lifecycle {
		500 |     ignore_changes = [kms_key_id]
		501 |   }
		502 | 
		503 |   tags = merge(
		504 |     local.tags,
		505 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		506 |   )
		507 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:515-531
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		515 | resource "aws_ebs_volume" "oraredo" {
		516 |   availability_zone = "eu-west-2a"
		517 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		518 |   type              = "gp2"
		519 |   encrypted         = true
		520 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		521 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		522 | 
		523 |   lifecycle {
		524 |     ignore_changes = [kms_key_id]
		525 |   }
		526 | 
		527 |   tags = merge(
		528 |     local.tags,
		529 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		530 |   )
		531 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:539-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		539 | resource "aws_ebs_volume" "share" {
		540 |   availability_zone = "eu-west-2a"
		541 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		542 |   type              = "gp2"
		543 |   encrypted         = true
		544 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		545 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		546 | 
		547 |   lifecycle {
		548 |     ignore_changes = [kms_key_id]
		549 |   }
		550 | 
		551 |   tags = merge(
		552 |     local.tags,
		553 |     { "Name" = "${local.application_name_short}-database-share" },
		554 |   )
		555 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "scripts" {
		102 |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		106 |   )
		107 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2024-11-01T15:33:06Z	INFO	[vulndb] Need to update DB
2024-11-01T15:33:06Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-01T15:33:06Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:33:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-01T15:33:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-01T15:33:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-01T15:33:08Z	INFO	[misconfig] Need to update the built-in checks
2024-11-01T15:33:08Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-01T15:33:09Z	INFO	[secret] Secret scanning is enabled
2024-11-01T15:33:09Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T15:33:09Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T15:33:10Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-01T15:33:10Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-11-01T15:33:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-11-01T15:33:14Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-01T15:33:14Z	INFO	Number of language-specific files	num=0
2024-11-01T15:33:14Z	INFO	Detected config files	num=9

alb.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:192-194
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 192metadata_options {
 193http_tokens = "optional"
 194 └   }
 ...   
 213   }
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:227-229
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 227metadata_options {
 228http_tokens = "optional"
 229 └   }
 ...   
 248   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:196-202
   via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 196root_block_device {
 197tags = merge(
 198 │       { "instance-scheduling" = "skip-scheduling" },
 199 │       local.tags,
 200 │       { "Name" = "${local.application_name_short}-app1-root" }
 201 │     )
 202 └   }
 ...   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:231-237
   via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 231root_block_device {
 232tags = merge(
 233 │       { "instance-scheduling" = "skip-scheduling" },
 234 │       local.tags,
 235 │       { "Name" = "${local.application_name_short}-app2-root" }
 236 │     )
 237 └   }
 ...   
────────────────────────────────────────



backup_lambda.tf (terraform)
============================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "scripts" {
 102bucket = "${local.application_name_short}-${local.environment}-scripts"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
 106 │   )
 107 └ }
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:170-172
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 170metadata_options {
 171http_tokens = "optional"
 172 └   }
 ...   
 191   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:174-180
   via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 174root_block_device {
 175tags = merge(
 176 │       { "instance-scheduling" = "skip-scheduling" },
 177 │       local.tags,
 178 │       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
 179 │     )
 180 └   }
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 1)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:194-196
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 194metadata_options {
 195http_tokens = "optional"
 196 └   }
 ...   
 212   }
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:198-204
   via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 198root_block_device {
 199tags = merge(
 200 │       { "instance-scheduling" = "skip-scheduling" },
 201 │       local.tags,
 202 │       { "Name" = "${local.application_name_short}-database-root" }
 203 │     )
 204 └   }
 ...   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development November 1, 2024 15:33 — with GitHub Actions Inactive
@vc13837 vc13837 merged commit d62a817 into main Nov 1, 2024
12 of 16 checks passed
@vc13837 vc13837 deleted the TM-65 branch November 1, 2024 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnasr-moj mnasr-moj mnasr-moj approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vc13837 @mnasr-moj