Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🧪 Debugging MoJO #8496

Merged
merged 9 commits into from
Nov 7, 2024
Merged

🧪 Debugging MoJO #8496

merged 9 commits into from
Nov 7, 2024

Conversation

jacobwoffenden
Copy link
Member

@jacobwoffenden jacobwoffenden commented Oct 29, 2024
edited
Loading

This pull request:

Signed-off-by: Jacob Woffenden jacob.woffenden@justice.gov.uk

@jacobwoffenden
Add SSM endpoint
79f3fb2 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
@jacobwoffenden jacobwoffenden self-assigned this Oct 29, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 29, 2024
modernisation-platform-ci
modernisation-platform-ci requested changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-29T16:38:27Z INFO [vulndb] Need to update DB
2024-10-29T16:38:27Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:38:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:38:30Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:38:30Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:38:30Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:38:30Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:38:30Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:38:30Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 928.074µs, allowed: 44000/minute"
2024-10-29T16:38:30Z INFO [secret] Secret scanning is enabled
2024-10-29T16:38:30Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:38:30Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:38:31Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:38:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-29T16:38:38Z INFO Number of language-specific files num=0
2024-10-29T16:38:38Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-29 16:38:41,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,294 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,295 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,296 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,297 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
2024-10-29 16:38:41,309 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-29 16:38:41,314 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 167, Failed checks: 2, Skipped checks: 65

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-29T16:38:27Z	INFO	[vulndb] Need to update DB
2024-10-29T16:38:27Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-29T16:38:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:38:30Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:38:30Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-29T16:38:30Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-29T16:38:30Z	INFO	[misconfig] Need to update the built-in checks
2024-10-29T16:38:30Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-29T16:38:30Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 928.074µs, allowed: 44000/minute"
2024-10-29T16:38:30Z	INFO	[secret] Secret scanning is enabled
2024-10-29T16:38:30Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:38:30Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:38:31Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-29T16:38:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-29T16:38:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-29T16:38:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-29T16:38:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-29T16:38:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-29T16:38:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-29T16:38:38Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-29T16:38:38Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-29T16:38:38Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-29T16:38:38Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-29T16:38:38Z	INFO	Number of language-specific files	num=0
2024-10-29T16:38:38Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

modernisation-platform-ci
modernisation-platform-ci previously requested changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

ASTRobinson
ASTRobinson previously approved these changes Oct 29, 2024
View reviewed changes
@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 29, 2024 17:02 — with GitHub Actions Inactive
@jacobwoffenden
add debug instance
89a735e 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
modernisation-platform-ci
modernisation-platform-ci requested changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 31, 2024 15:24 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-31T15:24:35Z INFO [vulndb] Need to update DB
2024-10-31T15:24:35Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T15:24:35Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:24:38Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:24:38Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T15:24:38Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T15:24:38Z INFO [misconfig] Need to update the built-in checks
2024-10-31T15:24:38Z INFO [misconfig] Downloading the built-in checks...
2024-10-31T15:24:38Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:c2b4fe1cd51083ede5606a38fb24e7fafb06fd2632c9cf6d9c63f5a80a6c67dc: TOOMANYREQUESTS: retry-after: 107.705µs, allowed: 44000/minute"
2024-10-31T15:24:38Z INFO [secret] Secret scanning is enabled
2024-10-31T15:24:38Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T15:24:38Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T15:24:39Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T15:24:39Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T15:24:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-31T15:24:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-31T15:24:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-31T15:24:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:45Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:24:45Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-31T15:24:45Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-31T15:24:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:24:45Z INFO Number of language-specific files num=0
2024-10-31T15:24:45Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 15:24:47,842 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,842 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,842 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,842 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,842 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,843 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:24:47,862 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 15:24:47,863 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 169, Failed checks: 2, Skipped checks: 67

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-31T15:24:35Z	INFO	[vulndb] Need to update DB
2024-10-31T15:24:35Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T15:24:35Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:24:38Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:24:38Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T15:24:38Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T15:24:38Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T15:24:38Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-31T15:24:38Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:c2b4fe1cd51083ede5606a38fb24e7fafb06fd2632c9cf6d9c63f5a80a6c67dc: TOOMANYREQUESTS: retry-after: 107.705µs, allowed: 44000/minute"
2024-10-31T15:24:38Z	INFO	[secret] Secret scanning is enabled
2024-10-31T15:24:38Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T15:24:38Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T15:24:39Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T15:24:39Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T15:24:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-31T15:24:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-31T15:24:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-31T15:24:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:24:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:24:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:24:45Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-31T15:24:45Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-31T15:24:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:24:45Z	INFO	Number of language-specific files	num=0
2024-10-31T15:24:45Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden
add further vpc endpoints
aa2431c 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
modernisation-platform-ci
modernisation-platform-ci requested changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

modernisation-platform-ci
modernisation-platform-ci previously requested changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-31T15:34:05Z INFO [vulndb] Need to update DB
2024-10-31T15:34:05Z INFO [vulndb] Downloading vulnerability DB...
2024-10-31T15:34:05Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:34:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:34:08Z INFO [vuln] Vulnerability scanning is enabled
2024-10-31T15:34:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-31T15:34:08Z INFO [misconfig] Need to update the built-in checks
2024-10-31T15:34:08Z INFO [misconfig] Downloading the built-in checks...
2024-10-31T15:34:08Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 206.47µs, allowed: 44000/minute\n\n"
2024-10-31T15:34:08Z INFO [secret] Secret scanning is enabled
2024-10-31T15:34:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T15:34:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T15:34:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-31T15:34:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-31T15:34:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-31T15:34:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-31T15:34:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-31T15:34:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:19Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:34:19Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:34:19Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-31T15:34:19Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-31T15:34:19Z INFO Number of language-specific files num=0
2024-10-31T15:34:19Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-31 15:34:22,449 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,449 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,449 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,449 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,450 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,451 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
2024-10-31 15:34:22,465 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-10-31 15:34:22,466 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 169, Failed checks: 2, Skipped checks: 67

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-31T15:34:05Z	INFO	[vulndb] Need to update DB
2024-10-31T15:34:05Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-31T15:34:05Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:34:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-31T15:34:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-31T15:34:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-31T15:34:08Z	INFO	[misconfig] Need to update the built-in checks
2024-10-31T15:34:08Z	INFO	[misconfig] Downloading the built-in checks...
2024-10-31T15:34:08Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 206.47µs, allowed: 44000/minute\n\n"
2024-10-31T15:34:08Z	INFO	[secret] Secret scanning is enabled
2024-10-31T15:34:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T15:34:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T15:34:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-31T15:34:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-31T15:34:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-10-31T15:34:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-31T15:34:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-31T15:34:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-31T15:34:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-31T15:34:19Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:34:19Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-31T15:34:19Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-31T15:34:19Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-31T15:34:19Z	INFO	Number of language-specific files	num=0
2024-10-31T15:34:19Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

mikereiddigital
mikereiddigital previously approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@mikereiddigital mikereiddigital left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lg2m

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 31, 2024 15:50 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 31, 2024 16:46 — with GitHub Actions Failure
@jacobwoffenden
fix sg
c6eceec 
add cloudwatch logs
add r53 resolver logging

Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
modernisation-platform-ci
modernisation-platform-ci requested changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

Khatraf
Khatraf previously approved these changes Nov 5, 2024
View reviewed changes
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 5, 2024 15:58 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 5, 2024 16:08 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 6, 2024 09:51 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 6, 2024 10:55 — with GitHub Actions Failure
@jacobwoffenden
not the right place for that
127941a 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
@jacobwoffenden
chuck it all down
ccb3407 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 6, 2024 11:00 — with GitHub Actions Failure
modernisation-platform-ci
modernisation-platform-ci requested changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 6, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-06T11:01:19Z INFO [vulndb] Need to update DB
2024-11-06T11:01:19Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T11:01:19Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T11:01:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T11:01:22Z INFO [vuln] Vulnerability scanning is enabled
2024-11-06T11:01:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-06T11:01:22Z INFO [misconfig] Need to update the built-in checks
2024-11-06T11:01:22Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-06T11:01:22Z INFO [secret] Secret scanning is enabled
2024-11-06T11:01:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T11:01:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T11:01:23Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-06T11:01:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-06T11:01:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-06T11:01:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-11-06T11:01:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-06T11:01:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:29Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-06T11:01:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-06T11:01:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-06T11:01:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-06T11:01:29Z INFO Number of language-specific files num=0
2024-11-06T11:01:29Z INFO Detected config files num=10

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 ┌ resource "aws_lb" "this" {
13 │ count = local.create ? 1 : 0
14 │
15 │ dynamic "access_logs" {
16 │ for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
17 │
18 │ content {
19 │ bucket = access_logs.value.bucket
20 └ enabled = try(access_logs.value.enabled, true)
..
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 11:01:32,111 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,112 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,113 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
2024-11-06 11:01:32,130 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 11:01:32,130 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 170, Failed checks: 2, Skipped checks: 68

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-06T11:01:19Z	INFO	[vulndb] Need to update DB
2024-11-06T11:01:19Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T11:01:19Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T11:01:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-06T11:01:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-06T11:01:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-06T11:01:22Z	INFO	[misconfig] Need to update the built-in checks
2024-11-06T11:01:22Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-06T11:01:22Z	INFO	[secret] Secret scanning is enabled
2024-11-06T11:01:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T11:01:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T11:01:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-06T11:01:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-06T11:01:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-06T11:01:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-11-06T11:01:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-06T11:01:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-06T11:01:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-06T11:01:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-06T11:01:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-06T11:01:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-06T11:01:29Z	INFO	Number of language-specific files	num=0
2024-11-06T11:01:29Z	INFO	Detected config files	num=10

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
   via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12resource "aws_lb" "this" {
  13count = local.create ? 1 : 0
  1415dynamic "access_logs" {
  16for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
  1718content {
  19bucket  = access_logs.value.bucket
  20enabled = try(access_logs.value.enabled, true)
  ..   
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development November 6, 2024 11:09 — with GitHub Actions Inactive
modernisation-platform-ci
modernisation-platform-ci requested changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@jacobwoffenden jacobwoffenden mentioned this pull request Nov 7, 2024
Closed
@jacobwoffenden
tidy ahead of merge
8c3f479 
Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
modernisation-platform-ci
modernisation-platform-ci previously requested changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development November 7, 2024 12:09 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 7, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-07T12:09:57Z INFO [vulndb] Need to update DB
2024-11-07T12:09:57Z INFO [vulndb] Downloading vulnerability DB...
2024-11-07T12:09:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-07T12:10:00Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-07T12:10:00Z INFO [vuln] Vulnerability scanning is enabled
2024-11-07T12:10:00Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-07T12:10:00Z INFO [misconfig] Need to update the built-in checks
2024-11-07T12:10:00Z INFO [misconfig] Downloading the built-in checks...
2024-11-07T12:10:00Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 143.527µs, allowed: 44000/minute\n\n"
2024-11-07T12:10:00Z INFO [secret] Secret scanning is enabled
2024-11-07T12:10:00Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T12:10:00Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-07T12:10:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-07T12:10:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-07T12:10:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-07T12:10:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-11-07T12:10:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-07T12:10:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:07Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-07T12:10:07Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-07T12:10:07Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-07T12:10:07Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-07T12:10:07Z INFO Number of language-specific files num=0
2024-11-07T12:10:07Z INFO Detected config files num=10

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 ┌ resource "aws_lb" "this" {
13 │ count = local.create ? 1 : 0
14 │
15 │ dynamic "access_logs" {
16 │ for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
17 │
18 │ content {
19 │ bucket = access_logs.value.bucket
20 └ enabled = try(access_logs.value.enabled, true)
..
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-07 12:10:09,807 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,807 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,807 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,808 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,809 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,810 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
2024-11-07 12:10:09,831 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-07 12:10:09,831 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 170, Failed checks: 2, Skipped checks: 68

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-07T12:09:57Z	INFO	[vulndb] Need to update DB
2024-11-07T12:09:57Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-07T12:09:57Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-07T12:10:00Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-07T12:10:00Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-07T12:10:00Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-07T12:10:00Z	INFO	[misconfig] Need to update the built-in checks
2024-11-07T12:10:00Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-07T12:10:00Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 143.527µs, allowed: 44000/minute\n\n"
2024-11-07T12:10:00Z	INFO	[secret] Secret scanning is enabled
2024-11-07T12:10:00Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T12:10:00Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-07T12:10:00Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-07T12:10:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-07T12:10:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-07T12:10:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-11-07T12:10:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-07T12:10:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-07T12:10:07Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-07T12:10:07Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-07T12:10:07Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-07T12:10:07Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-07T12:10:07Z	INFO	Number of language-specific files	num=0
2024-11-07T12:10:07Z	INFO	Detected config files	num=10

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
   via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12resource "aws_lb" "this" {
  13count = local.create ? 1 : 0
  1415dynamic "access_logs" {
  16for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
  1718content {
  19bucket  = access_logs.value.bucket
  20enabled = try(access_logs.value.enabled, true)
  ..   
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:25-46 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development November 7, 2024 12:18 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden marked this pull request as ready for review November 7, 2024 12:20
@jacobwoffenden jacobwoffenden requested review from a team as code owners November 7, 2024 12:20
Kudzai-moj
Kudzai-moj approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@Kudzai-moj Kudzai-moj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jacobwoffenden jacobwoffenden merged commit 8b6362d into main Nov 7, 2024
11 of 12 checks passed
@jacobwoffenden jacobwoffenden deleted the chore/ap-ingestion-network-debug branch November 7, 2024 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kudzai-moj Kudzai-moj Kudzai-moj approved these changes

@Khatraf Khatraf Khatraf left review comments

@modernisation-platform-ci modernisation-platform-ci modernisation-platform-ci left review comments

@ASTRobinson ASTRobinson ASTRobinson left review comments

@mikereiddigital mikereiddigital mikereiddigital left review comments

Assignees

@jacobwoffenden jacobwoffenden

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

📥 Maintenance - Ingestion
6 participants
@jacobwoffenden @modernisation-platform-ci @mikereiddigital @ASTRobinson @Khatraf @Kudzai-moj