Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added secret definition for govuk_notify_api_key #87

Merged
merged 4 commits into from
Aug 18, 2021
Merged

Added secret definition for govuk_notify_api_key #87

merged 4 commits into from
Aug 18, 2021

Conversation

jemnery
Copy link
Contributor

@jemnery jemnery commented Aug 16, 2021

I'd updated secrets.tf a while ago, but the secret wasn't visible in the container. I think I also needed to update task_definition.json and main.tf...(?)

Basically trying to get GOVUK_NOTIFY_API_KEY to appear as an env var in the container.

@jemnery jemnery requested a review from zuriguardiola August 16, 2021 15:04
@jemnery jemnery temporarily deployed to performance-hub-development August 16, 2021 15:04 Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/performance-hub

*****************************

Running TFSEC in terraform/environments/performance-hub
Excluding the following checks: AWS095
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform/terraform/modules/bastion_linux' -  try to 'terraform init' first
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform-terraform-ecs' -  try to 'terraform init' first

  Result 1

  [aws-elbv2-http-not-used][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_lb_listener.listener' uses plain HTTP instead of HTTPS.
  /github/workspace/terraform/environments/performance-hub/main.tf:277


     274 | resource "aws_lb_listener" "listener" {
     275 |   load_balancer_arn = aws_lb.external.id
     276 |   port              = local.app_data.accounts[local.environment].server_port
     277 |   protocol          = "HTTP"    string: "HTTP"
     278 | 
     279 |   default_action {
     280 |     target_group_arn = aws_lb_target_group.target_group.id

  Legacy ID:  AWS004
  Impact:     Your traffic is not protected
  Resolution: Switch to HTTPS to benefit from TLS security features

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/http-not-used#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener 
  - https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/ 

  Result 2

  [aws-rds-backup-retention-specified][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_db_instance.database' has backup retention period set to a low value
  /github/workspace/terraform/environments/performance-hub/main.tf:354


     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
     354 |   backup_retention_period             = 0    number: 0.000000
     355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
     356 |   backup_window                       = "03:00-06:00"
     357 |   final_snapshot_identifier           = "final-snapshot"

  Legacy ID:  AWS091
  Impact:     Potential loss of data and short opportunity for recovery
  Resolution: Explicitly set the retention period to greater than the default

  More Info:
  - https://tfsec.dev/docs/aws/rds/backup-retention-specified#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention 

  Result 3

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.upload_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 4

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.database_backup_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 5

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.database_backup_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 6

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_ecs_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:424-431


     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"
     426 |   from_port                = 1433
     427 |   to_port                  = 1433
     428 |   protocol                 = "tcp"
     429 |   security_group_id        = aws_security_group.db.id
     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 7

  [aws-ecr-enforce-immutable-repository][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' has `image_tag_mutability` attribute  not set to `IMMUTABLE`
  /github/workspace/terraform/environments/performance-hub/main.tf:3


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"    string: "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false

  Legacy ID:  AWS078
  Impact:     Image tags could be overwritten with compromised images
  Resolution: Only use immutable images in ECR

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enforce-immutable-repository#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository 
  - https://sysdig.com/blog/toctou-tag-mutability/ 

  Result 8

  [aws-ecr-repository-customer-key][�[0m�[97mLOW�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' does not have CMK encryption configured
  /github/workspace/terraform/environments/performance-hub/main.tf:1-12


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false
       7 |   }
       8 | 
       9 |   lifecycle {
      10 |     prevent_destroy = true
      11 |   }
      12 | }
      13 | 
      14 | data "aws_caller_identity" "current" {}
      15 | 

  Legacy ID:  AWS093
  Impact:     Using AWS managed keys does not allow for fine grained control
  Resolution: Use customer managed keys

  More Info:
  - https://tfsec.dev/docs/aws/ecr/repository-customer-key#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html 

  Result 9

  [aws-iam-no-policy-wildcards][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_iam_policy.db_mgmt_policy' defines a policy with wildcarded resources.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:92-117


      89 |   name        = "${local.application_name}-db_mgmt-ec2-policy"
      90 |   description = "${local.application_name} ec2-policy"
      91 | 
      92 |   policy = <<EOF    string: "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": \"s3:*\",\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"s3:GetEncryptionConfiguration\"\n        ],\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"kms:Decrypt\"\n        ],\n        \"Resource\": \"arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049\"\n      }\n    ]\n}\n"
      93 | {
      94 |     "Version": "2012-10-17",
      95 |     "Statement": [
      96 |       {
      97 |         "Effect": "Allow",
      98 |         "Action": "s3:*",
      99 |         "Resource": "*"
     100 |       },
     101 |       {
     102 |         "Effect": "Allow",
     103 |         "Action": [
     104 |           "s3:GetEncryptionConfiguration"
     105 |         ],
     106 |         "Resource": "*"
     107 |       },
     108 |       {
     109 |         "Effect": "Allow",
     110 |         "Action": [
     111 |           "kms:Decrypt"
     112 |         ],
     113 |         "Resource": "arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
     114 |       }
     115 |     ]
     116 | }
     117 | EOF
     118 | }
     119 | 
     120 | # EC2 Security Group

  Legacy ID:  AWS099
  Impact:     Overly permissive policies may grant access to sensitive resources
  Resolution: Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Info:
  - https://tfsec.dev/docs/aws/iam/no-policy-wildcards#aws/iam 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document 
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 

  Result 10

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_bastion_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:433-440


     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"
     435 |   from_port         = 1433
     436 |   to_port           = 1433
     437 |   protocol          = "tcp"
     438 |   security_group_id = aws_security_group.db.id
     439 |   cidr_blocks       = ["${module.bastion_linux.bastion_private_ip}/32"]
     440 | }
     441 | 
     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 11

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.db_mgmt_server_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:137-139


     134 |     protocol  = "-1"
     135 |     from_port = 0
     136 |     to_port   = 0
     137 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     138 |       "0.0.0.0/0",
     139 |     ]
     140 |   }
     141 | 
     142 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 12

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:315


     312 |     protocol    = "tcp"
     313 |     from_port   = 443
     314 |     to_port     = 443
     315 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     316 |   }
     317 | 
     318 |   egress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 13

  [aws-ec2-enforce-http-token-imds][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_instance.db_mgmt_server' is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:1-39


       1 | resource "aws_instance" "db_mgmt_server" {
       2 |   ami                         = "ami-09b00616b12b077f8"
       3 |   associate_public_ip_address = false
       4 |   availability_zone           = "eu-west-2a"
       5 |   ebs_optimized               = true
       6 |   iam_instance_profile        = aws_iam_instance_profile.db_mgmt_profile.name
       7 |   instance_type               = "t3.large"
       8 |   key_name                    = local.app_data.accounts[local.environment].key_name
       9 |   monitoring                  = true
      10 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
      11 |   user_data                   = data.template_cloudinit_config.cloudinit-db-mgmt.rendered
      12 |   vpc_security_group_ids      = [aws_security_group.db_mgmt_server_security_group.id, ]
      13 | 
      14 |   root_block_device {
      15 |     delete_on_termination = true
      16 |     encrypted             = true
      17 |     kms_key_id            = aws_kms_key.ebs.id
      18 |     volume_size           = 150
      19 |     volume_type           = "gp3"
      20 |   }
      21 | 
      22 |   lifecycle {
      23 |     ignore_changes = [
      24 |       # This prevents clobbering the tags of attached EBS volumes. See
      25 |       # [this bug][1] in the AWS provider upstream.
      26 |       #
      27 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
      28 |       volume_tags,
      29 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
      30 |       root_block_device, # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
      31 |     ]
      32 |   }
      33 |   tags = merge(
      34 |     local.tags,
      35 |     {
      36 |       Name = "${local.application_name}-db-mgmt-server"
      37 |     }
      38 |   )
      39 | }
      40 | 
      41 | data "template_file" "db_mgmt_server_script" {
      42 |   template = file("./templates/db_mgmt_server.txt")

  Legacy ID:  AWS079
  Impact:     Instance metadata service can be interacted with freely
  Resolution: Enable HTTP token requirement for IMDS

  More Info:
  - https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options 
  - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service 

  Result 14

  [aws-elb-drop-invalid-headers][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' does not drop invalid header fields
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS083
  Impact:     Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution: Set drop_invalid_header_fields to true

  More Info:
  - https://tfsec.dev/docs/aws/elb/drop-invalid-headers#aws/elb 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields 
  - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html 

  Result 15

  [aws-elbv2-alb-not-public][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' is exposed publicly.
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS005
  Impact:     The load balancer is exposed on the internet
  Resolution: Switch to an internal load balancer or add a tfsec ignore

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/alb-not-public#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb 

  Result 16

  [aws-rds-encrypt-instance-storage-data][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_db_instance.database' has storage encrypted set to false
  /github/workspace/terraform/environments/performance-hub/main.tf:350


     347 |   multi_az                            = false
     348 |   username                            = local.app_data.accounts[local.environment].db_user
     349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
     350 |   storage_encrypted                   = false    bool: false
     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier

  Legacy ID:  AWS052
  Impact:     Data can be read from RDS instances if compromised
  Resolution: Enable encryption for RDS instances

  More Info:
  - https://tfsec.dev/docs/aws/rds/encrypt-instance-storage-data#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html 

  Result 17

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_mgmt_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:415-422


     412 |   )
     413 | }
     414 | 
     415 | resource "aws_security_group_rule" "db_mgmt_ingress_rule" {
     416 |   type                     = "ingress"
     417 |   from_port                = 1433
     418 |   to_port                  = 1433
     419 |   protocol                 = "tcp"
     420 |   security_group_id        = aws_security_group.db.id
     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 18

  [aws-ecr-enable-image-scans][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' defines a disabled ECR image scan.
  /github/workspace/terraform/environments/performance-hub/main.tf:6


       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false    bool: false
       7 |   }
       8 | 
       9 |   lifecycle {

  Legacy ID:  AWS023
  Impact:     The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution: Enable ECR image scanning

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enable-image-scans#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html 

  Result 19

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.upload_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 20

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:322-324


     319 |     protocol  = "-1"
     320 |     from_port = 0
     321 |     to_port   = 0
     322 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     323 |       "0.0.0.0/0",
     324 |     ]
     325 |   }
     326 | 
     327 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 21

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:308


     305 |     protocol    = "tcp"
     306 |     from_port   = local.app_data.accounts[local.environment].server_port
     307 |     to_port     = local.app_data.accounts[local.environment].server_port
     308 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     309 |   }
     310 | 
     311 |   ingress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  times
  ------------------------------------------
  disk i/o             10.223272ms
  parsing HCL          80.901µs
  evaluating values    20.453245ms
  running checks       14.221601ms

  counts
  ------------------------------------------
  files loaded         10
  blocks               91
  modules              0

  results
  ------------------------------------------
  critical             5
  high                 7
  medium               5
  low                  4
  ignored              0

  21 potential problems detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/performance-hub

*****************************

Running Checkov in terraform/environments/performance-hub


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.350 
Update available 2.0.350 -> 2.0.351
Run pip3 install -U checkov to update 


terraform scan results:

Passed checks: 89, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:172-193
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		172 | data "aws_iam_policy_document" "ebs-kms" {
		173 |   statement {
		174 |     effect    = "Allow"
		175 |     actions   = ["kms:*"]
		176 |     resources = ["*"]
		177 | 
		178 |     principals {
		179 |       type        = "Service"
		180 |       identifiers = ["ec2.amazonaws.com"]
		181 |     }
		182 |   }
		183 |   statement {
		184 |     effect    = "Allow"
		185 |     actions   = ["kms:*"]
		186 |     resources = ["*"]
		187 | 
		188 |     principals {
		189 |       type        = "AWS"
		190 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		191 |     }
		192 |   }
		193 | }


Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:172-193
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		172 | data "aws_iam_policy_document" "ebs-kms" {
		173 |   statement {
		174 |     effect    = "Allow"
		175 |     actions   = ["kms:*"]
		176 |     resources = ["*"]
		177 | 
		178 |     principals {
		179 |       type        = "Service"
		180 |       identifiers = ["ec2.amazonaws.com"]
		181 |     }
		182 |   }
		183 |   statement {
		184 |     effect    = "Allow"
		185 |     actions   = ["kms:*"]
		186 |     resources = ["*"]
		187 | 
		188 |     principals {
		189 |       type        = "AWS"
		190 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		191 |     }
		192 |   }
		193 | }


Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_mgmt_server
	File: /db_manager.tf:1-39
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_31

		1  | resource "aws_instance" "db_mgmt_server" {
		2  |   ami                         = "ami-09b00616b12b077f8"
		3  |   associate_public_ip_address = false
		4  |   availability_zone           = "eu-west-2a"
		5  |   ebs_optimized               = true
		6  |   iam_instance_profile        = aws_iam_instance_profile.db_mgmt_profile.name
		7  |   instance_type               = "t3.large"
		8  |   key_name                    = local.app_data.accounts[local.environment].key_name
		9  |   monitoring                  = true
		10 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		11 |   user_data                   = data.template_cloudinit_config.cloudinit-db-mgmt.rendered
		12 |   vpc_security_group_ids      = [aws_security_group.db_mgmt_server_security_group.id, ]
		13 | 
		14 |   root_block_device {
		15 |     delete_on_termination = true
		16 |     encrypted             = true
		17 |     kms_key_id            = aws_kms_key.ebs.id
		18 |     volume_size           = 150
		19 |     volume_type           = "gp3"
		20 |   }
		21 | 
		22 |   lifecycle {
		23 |     ignore_changes = [
		24 |       # This prevents clobbering the tags of attached EBS volumes. See
		25 |       # [this bug][1] in the AWS provider upstream.
		26 |       #
		27 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		28 |       volume_tags,
		29 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		30 |       root_block_device, # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		31 |     ]
		32 |   }
		33 |   tags = merge(
		34 |     local.tags,
		35 |     {
		36 |       Name = "${local.application_name}-db-mgmt-server"
		37 |     }
		38 |   )
		39 | }


Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /main.tf:695-716
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		695 | data "aws_iam_policy_document" "s3-kms" {
		696 |   statement {
		697 |     effect    = "Allow"
		698 |     actions   = ["kms:*"]
		699 |     resources = ["*"]
		700 | 
		701 |     principals {
		702 |       type        = "Service"
		703 |       identifiers = ["s3.amazonaws.com"]
		704 |     }
		705 |   }
		706 |   statement {
		707 |     effect    = "Allow"
		708 |     actions   = ["kms:*"]
		709 |     resources = ["*"]
		710 | 
		711 |     principals {
		712 |       type        = "AWS"
		713 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		714 |     }
		715 |   }
		716 | }


Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /main.tf:695-716
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		695 | data "aws_iam_policy_document" "s3-kms" {
		696 |   statement {
		697 |     effect    = "Allow"
		698 |     actions   = ["kms:*"]
		699 |     resources = ["*"]
		700 | 
		701 |     principals {
		702 |       type        = "Service"
		703 |       identifiers = ["s3.amazonaws.com"]
		704 |     }
		705 |   }
		706 |   statement {
		707 |     effect    = "Allow"
		708 |     actions   = ["kms:*"]
		709 |     resources = ["*"]
		710 | 
		711 |     principals {
		712 |       type        = "AWS"
		713 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		714 |     }
		715 |   }
		716 | }


Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/general_8

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_24

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/bc_aws_logging_22

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-drops-http-headers

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_103: "Ensure that load balancer is using TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /main.tf:274-283
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		274 | resource "aws_lb_listener" "listener" {
		275 |   load_balancer_arn = aws_lb.external.id
		276 |   port              = local.app_data.accounts[local.environment].server_port
		277 |   protocol          = "HTTP"
		278 | 
		279 |   default_action {
		280 |     target_group_arn = aws_lb_target_group.target_group.id
		281 |     type             = "forward"
		282 |   }
		283 | }


Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /main.tf:274-283
	Guide: https://docs.bridgecrew.io/docs/networking_29

		274 | resource "aws_lb_listener" "listener" {
		275 |   load_balancer_arn = aws_lb.external.id
		276 |   port              = local.app_data.accounts[local.environment].server_port
		277 |   protocol          = "HTTP"
		278 | 
		279 |   default_action {
		280 |     target_group_arn = aws_lb_target_group.target_group.id
		281 |     type             = "forward"
		282 |   }
		283 | }


Check: CKV_AWS_103: "Ensure that load balancer is using TLS 1.2"
	FAILED for resource: aws_lb_listener.https_listener
	File: /main.tf:285-297
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		285 | resource "aws_lb_listener" "https_listener" {
		286 |   depends_on = [aws_acm_certificate_validation.external]
		287 | 
		288 |   load_balancer_arn = aws_lb.external.id
		289 |   port              = "443"
		290 |   protocol          = "HTTPS"
		291 |   certificate_arn   = aws_acm_certificate.external.arn
		292 | 
		293 |   default_action {
		294 |     target_group_arn = aws_lb_target_group.target_group.id
		295 |     type             = "forward"
		296 |   }
		297 | }


Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/general_4

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/general_73

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-redirects-http-requests-into-https-ones

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-public-facing-alb-are-protected-by-waf

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

tflint will check the following folders:
terraform/environments/performance-hub

*****************************

Running tflint in terraform/environments/performance-hub
WARNING: The plugin `aws` is not explicitly enabled. The bundled plugin will be enabled instead, but it is deprecated and will be removed in a future version. Please see https://github.com/terraform-linters/tflint/pull/1160 for details.
2 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform/terraform/modules/bastion_linux" is not pinned (terraform_module_pinned_source)

  on /github/workspace/terraform/environments/performance-hub/bastion_linux.tf line 6:
   6:   source = "github.com/ministryofjustice/modernisation-platform/terraform/modules/bastion_linux"

Reference: https://github.com/terraform-linters/tflint/blob/v0.31.0/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ecs" is not pinned (terraform_module_pinned_source)

  on /github/workspace/terraform/environments/performance-hub/main.tf line 141:
 141:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs"

Reference: https://github.com/terraform-linters/tflint/blob/v0.31.0/docs/rules/terraform_module_pinned_source.md

tflint_exitcode=3

@jemnery jemnery self-assigned this Aug 16, 2021
@zuriguardiola zuriguardiola temporarily deployed to performance-hub-development August 17, 2021 11:07 Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/performance-hub

*****************************

Running TFSEC in terraform/environments/performance-hub
Excluding the following checks: AWS095
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform/terraform/modules/bastion_linux' -  try to 'terraform init' first
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform-terraform-ecs' -  try to 'terraform init' first

  Result 1

  [aws-ec2-enforce-http-token-imds][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_instance.db_mgmt_server' is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:1-39


       1 | resource "aws_instance" "db_mgmt_server" {
       2 |   ami                         = "ami-09b00616b12b077f8"
       3 |   associate_public_ip_address = false
       4 |   availability_zone           = "eu-west-2a"
       5 |   ebs_optimized               = true
       6 |   iam_instance_profile        = aws_iam_instance_profile.db_mgmt_profile.name
       7 |   instance_type               = "t3.large"
       8 |   key_name                    = local.app_data.accounts[local.environment].key_name
       9 |   monitoring                  = true
      10 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
      11 |   user_data                   = data.template_cloudinit_config.cloudinit-db-mgmt.rendered
      12 |   vpc_security_group_ids      = [aws_security_group.db_mgmt_server_security_group.id, ]
      13 | 
      14 |   root_block_device {
      15 |     delete_on_termination = true
      16 |     encrypted             = true
      17 |     kms_key_id            = aws_kms_key.ebs.id
      18 |     volume_size           = 150
      19 |     volume_type           = "gp3"
      20 |   }
      21 | 
      22 |   lifecycle {
      23 |     ignore_changes = [
      24 |       # This prevents clobbering the tags of attached EBS volumes. See
      25 |       # [this bug][1] in the AWS provider upstream.
      26 |       #
      27 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
      28 |       volume_tags,
      29 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
      30 |       root_block_device, # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
      31 |     ]
      32 |   }
      33 |   tags = merge(
      34 |     local.tags,
      35 |     {
      36 |       Name = "${local.application_name}-db-mgmt-server"
      37 |     }
      38 |   )
      39 | }
      40 | 
      41 | data "template_file" "db_mgmt_server_script" {
      42 |   template = file("./templates/db_mgmt_server.txt")

  Legacy ID:  AWS079
  Impact:     Instance metadata service can be interacted with freely
  Resolution: Enable HTTP token requirement for IMDS

  More Info:
  - https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options 
  - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service 

  Result 2

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_mgmt_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:415-422


     412 |   )
     413 | }
     414 | 
     415 | resource "aws_security_group_rule" "db_mgmt_ingress_rule" {
     416 |   type                     = "ingress"
     417 |   from_port                = 1433
     418 |   to_port                  = 1433
     419 |   protocol                 = "tcp"
     420 |   security_group_id        = aws_security_group.db.id
     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 3

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.db_mgmt_server_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:137-139


     134 |     protocol  = "-1"
     135 |     from_port = 0
     136 |     to_port   = 0
     137 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     138 |       "0.0.0.0/0",
     139 |     ]
     140 |   }
     141 | 
     142 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 4

  [aws-elb-drop-invalid-headers][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' does not drop invalid header fields
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS083
  Impact:     Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution: Set drop_invalid_header_fields to true

  More Info:
  - https://tfsec.dev/docs/aws/elb/drop-invalid-headers#aws/elb 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields 
  - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html 

  Result 5

  [aws-elbv2-http-not-used][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_lb_listener.listener' uses plain HTTP instead of HTTPS.
  /github/workspace/terraform/environments/performance-hub/main.tf:277


     274 | resource "aws_lb_listener" "listener" {
     275 |   load_balancer_arn = aws_lb.external.id
     276 |   port              = local.app_data.accounts[local.environment].server_port
     277 |   protocol          = "HTTP"    string: "HTTP"
     278 | 
     279 |   default_action {
     280 |     target_group_arn = aws_lb_target_group.target_group.id

  Legacy ID:  AWS004
  Impact:     Your traffic is not protected
  Resolution: Switch to HTTPS to benefit from TLS security features

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/http-not-used#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener 
  - https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/ 

  Result 6

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.database_backup_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 7

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.database_backup_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 8

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_bastion_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:433-440


     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"
     435 |   from_port         = 1433
     436 |   to_port           = 1433
     437 |   protocol          = "tcp"
     438 |   security_group_id = aws_security_group.db.id
     439 |   cidr_blocks       = ["${module.bastion_linux.bastion_private_ip}/32"]
     440 | }
     441 | 
     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 9

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:322-324


     319 |     protocol  = "-1"
     320 |     from_port = 0
     321 |     to_port   = 0
     322 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     323 |       "0.0.0.0/0",
     324 |     ]
     325 |   }
     326 | 
     327 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 10

  [aws-ecr-enable-image-scans][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' defines a disabled ECR image scan.
  /github/workspace/terraform/environments/performance-hub/main.tf:6


       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false    bool: false
       7 |   }
       8 | 
       9 |   lifecycle {

  Legacy ID:  AWS023
  Impact:     The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution: Enable ECR image scanning

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enable-image-scans#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html 

  Result 11

  [aws-ecr-enforce-immutable-repository][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' has `image_tag_mutability` attribute  not set to `IMMUTABLE`
  /github/workspace/terraform/environments/performance-hub/main.tf:3


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"    string: "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false

  Legacy ID:  AWS078
  Impact:     Image tags could be overwritten with compromised images
  Resolution: Only use immutable images in ECR

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enforce-immutable-repository#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository 
  - https://sysdig.com/blog/toctou-tag-mutability/ 

  Result 12

  [aws-ecr-repository-customer-key][�[0m�[97mLOW�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' does not have CMK encryption configured
  /github/workspace/terraform/environments/performance-hub/main.tf:1-12


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false
       7 |   }
       8 | 
       9 |   lifecycle {
      10 |     prevent_destroy = true
      11 |   }
      12 | }
      13 | 
      14 | data "aws_caller_identity" "current" {}
      15 | 

  Legacy ID:  AWS093
  Impact:     Using AWS managed keys does not allow for fine grained control
  Resolution: Use customer managed keys

  More Info:
  - https://tfsec.dev/docs/aws/ecr/repository-customer-key#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html 

  Result 13

  [aws-rds-encrypt-instance-storage-data][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_db_instance.database' has storage encrypted set to false
  /github/workspace/terraform/environments/performance-hub/main.tf:350


     347 |   multi_az                            = false
     348 |   username                            = local.app_data.accounts[local.environment].db_user
     349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
     350 |   storage_encrypted                   = false    bool: false
     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier

  Legacy ID:  AWS052
  Impact:     Data can be read from RDS instances if compromised
  Resolution: Enable encryption for RDS instances

  More Info:
  - https://tfsec.dev/docs/aws/rds/encrypt-instance-storage-data#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html 

  Result 14

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.upload_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 15

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.upload_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 16

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_ecs_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:424-431


     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"
     426 |   from_port                = 1433
     427 |   to_port                  = 1433
     428 |   protocol                 = "tcp"
     429 |   security_group_id        = aws_security_group.db.id
     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 17

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:315


     312 |     protocol    = "tcp"
     313 |     from_port   = 443
     314 |     to_port     = 443
     315 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     316 |   }
     317 | 
     318 |   egress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 18

  [aws-elbv2-alb-not-public][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' is exposed publicly.
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS005
  Impact:     The load balancer is exposed on the internet
  Resolution: Switch to an internal load balancer or add a tfsec ignore

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/alb-not-public#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb 

  Result 19

  [aws-iam-no-policy-wildcards][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_iam_policy.db_mgmt_policy' defines a policy with wildcarded resources.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:92-117


      89 |   name        = "${local.application_name}-db_mgmt-ec2-policy"
      90 |   description = "${local.application_name} ec2-policy"
      91 | 
      92 |   policy = <<EOF    string: "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": \"s3:*\",\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"s3:GetEncryptionConfiguration\"\n        ],\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"kms:Decrypt\"\n        ],\n        \"Resource\": \"arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049\"\n      }\n    ]\n}\n"
      93 | {
      94 |     "Version": "2012-10-17",
      95 |     "Statement": [
      96 |       {
      97 |         "Effect": "Allow",
      98 |         "Action": "s3:*",
      99 |         "Resource": "*"
     100 |       },
     101 |       {
     102 |         "Effect": "Allow",
     103 |         "Action": [
     104 |           "s3:GetEncryptionConfiguration"
     105 |         ],
     106 |         "Resource": "*"
     107 |       },
     108 |       {
     109 |         "Effect": "Allow",
     110 |         "Action": [
     111 |           "kms:Decrypt"
     112 |         ],
     113 |         "Resource": "arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
     114 |       }
     115 |     ]
     116 | }
     117 | EOF
     118 | }
     119 | 
     120 | # EC2 Security Group

  Legacy ID:  AWS099
  Impact:     Overly permissive policies may grant access to sensitive resources
  Resolution: Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Info:
  - https://tfsec.dev/docs/aws/iam/no-policy-wildcards#aws/iam 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document 
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 

  Result 20

  [aws-rds-backup-retention-specified][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_db_instance.database' has backup retention period set to a low value
  /github/workspace/terraform/environments/performance-hub/main.tf:354


     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
     354 |   backup_retention_period             = 0    number: 0.000000
     355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
     356 |   backup_window                       = "03:00-06:00"
     357 |   final_snapshot_identifier           = "final-snapshot"

  Legacy ID:  AWS091
  Impact:     Potential loss of data and short opportunity for recovery
  Resolution: Explicitly set the retention period to greater than the default

  More Info:
  - https://tfsec.dev/docs/aws/rds/backup-retention-specified#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention 

  Result 21

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:308


     305 |     protocol    = "tcp"
     306 |     from_port   = local.app_data.accounts[local.environment].server_port
     307 |     to_port     = local.app_data.accounts[local.environment].server_port
     308 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     309 |   }
     310 | 
     311 |   ingress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  times
  ------------------------------------------
  disk i/o             8.72427ms
  parsing HCL          60.1µs
  evaluating values    18.996267ms
  running checks       14.203374ms

  counts
  ------------------------------------------
  files loaded         10
  blocks               91
  modules              0

  results
  ------------------------------------------
  critical             5
  high                 7
  medium               5
  low                  4
  ignored              0

  21 potential problems detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/performance-hub

*****************************

Running Checkov in terraform/environments/performance-hub
Traceback (most recent call last):
  File "/usr/local/bin/checkov", line 8, in <module>
    exit(run())
  File "/usr/local/lib/python3.7/dist-packages/checkov/main.py", line 167, in run
    files=file, guidelines=guidelines)
  File "/usr/local/lib/python3.7/dist-packages/checkov/common/runners/runner_registry.py", line 54, in run
    collect_skip_comments=collect_skip_comments,
  File "/usr/local/lib/python3.7/dist-packages/checkov/cloudformation/runner.py", line 56, in run
    self.definitions, self.definitions_raw = create_definitions(root_folder, files, runner_filter)
  File "/usr/local/lib/python3.7/dist-packages/checkov/cloudformation/cfn_utils.py", line 201, in create_definitions
    definitions, definitions_raw = get_folder_definitions(root_folder, runner_filter.excluded_paths)
  File "/usr/local/lib/python3.7/dist-packages/checkov/cloudformation/cfn_utils.py", line 110, in get_folder_definitions
    template, template_lines = parse(file)
  File "/usr/local/lib/python3.7/dist-packages/checkov/cloudformation/parser/__init__.py", line 48, in parse
    resources = template.get(TemplateSections.RESOURCES.value, None)
  File "/usr/local/lib/python3.7/dist-packages/checkov/cloudformation/parser/node.py", line 202, in __getattr__
    raise TemplateAttributeError('%s.%s is invalid' % (self.__class__.__name__, name))
checkov.cloudformation.parser.node.TemplateAttributeError: list_node.get is invalid
checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

tflint will check the following folders:
terraform/environments/performance-hub

*****************************

Running tflint in terraform/environments/performance-hub
Excluding the following checks: terraform_module_pinned_source
WARNING: The plugin `aws` is not explicitly enabled. The bundled plugin will be enabled instead, but it is deprecated and will be removed in a future version. Please see https://github.com/terraform-linters/tflint/pull/1160 for details.
tflint_exitcode=0

@zuriguardiola zuriguardiola temporarily deployed to performance-hub-development August 18, 2021 09:52 Inactive
@zuriguardiola zuriguardiola merged commit 0807f27 into main Aug 18, 2021
@zuriguardiola zuriguardiola deleted the perf-hub-govuk-notify-secret branch August 18, 2021 09:54
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/performance-hub

*****************************

Running TFSEC in terraform/environments/performance-hub
Excluding the following checks: AWS095
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform/terraform/modules/bastion_linux' -  try to 'terraform init' first
WARNING: Failed to load module: missing module with source 'github.com/ministryofjustice/modernisation-platform-terraform-ecs?ref=v1.0.0' -  try to 'terraform init' first

  Result 1

  [aws-ecr-repository-customer-key][�[0m�[97mLOW�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' does not have CMK encryption configured
  /github/workspace/terraform/environments/performance-hub/main.tf:1-12


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false
       7 |   }
       8 | 
       9 |   lifecycle {
      10 |     prevent_destroy = true
      11 |   }
      12 | }
      13 | 
      14 | data "aws_caller_identity" "current" {}
      15 | 

  Legacy ID:  AWS093
  Impact:     Using AWS managed keys does not allow for fine grained control
  Resolution: Use customer managed keys

  More Info:
  - https://tfsec.dev/docs/aws/ecr/repository-customer-key#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html 

  Result 2

  [aws-elb-drop-invalid-headers][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' does not drop invalid header fields
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS083
  Impact:     Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution: Set drop_invalid_header_fields to true

  More Info:
  - https://tfsec.dev/docs/aws/elb/drop-invalid-headers#aws/elb 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields 
  - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html 

  Result 3

  [aws-elbv2-http-not-used][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_lb_listener.listener' uses plain HTTP instead of HTTPS.
  /github/workspace/terraform/environments/performance-hub/main.tf:277


     274 | resource "aws_lb_listener" "listener" {
     275 |   load_balancer_arn = aws_lb.external.id
     276 |   port              = local.app_data.accounts[local.environment].server_port
     277 |   protocol          = "HTTP"    string: "HTTP"
     278 | 
     279 |   default_action {
     280 |     target_group_arn = aws_lb_target_group.target_group.id

  Legacy ID:  AWS004
  Impact:     Your traffic is not protected
  Resolution: Switch to HTTPS to benefit from TLS security features

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/http-not-used#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener 
  - https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/ 

  Result 4

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_ecs_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:424-431


     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"
     426 |   from_port                = 1433
     427 |   to_port                  = 1433
     428 |   protocol                 = "tcp"
     429 |   security_group_id        = aws_security_group.db.id
     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 5

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.db_mgmt_server_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:137-139


     134 |     protocol  = "-1"
     135 |     from_port = 0
     136 |     to_port   = 0
     137 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     138 |       "0.0.0.0/0",
     139 |     ]
     140 |   }
     141 | 
     142 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 6

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:315


     312 |     protocol    = "tcp"
     313 |     from_port   = 443
     314 |     to_port     = 443
     315 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     316 |   }
     317 | 
     318 |   egress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 7

  [aws-vpc-no-public-ingress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open ingress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:308


     305 |     protocol    = "tcp"
     306 |     from_port   = local.app_data.accounts[local.environment].server_port
     307 |     to_port     = local.app_data.accounts[local.environment].server_port
     308 |     cidr_blocks = ["0.0.0.0/0", ]    list: ["0.0.0.0/0"]
     309 |   }
     310 | 
     311 |   ingress {

  Legacy ID:  AWS008
  Impact:     The port is exposed for ingress from the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-ingress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 8

  [aws-ecr-enforce-immutable-repository][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' has `image_tag_mutability` attribute  not set to `IMMUTABLE`
  /github/workspace/terraform/environments/performance-hub/main.tf:3


       1 | resource "aws_ecr_repository" "ecr_repo" {
       2 |   name                 = local.application_name
       3 |   image_tag_mutability = "MUTABLE"    string: "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false

  Legacy ID:  AWS078
  Impact:     Image tags could be overwritten with compromised images
  Resolution: Only use immutable images in ECR

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enforce-immutable-repository#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository 
  - https://sysdig.com/blog/toctou-tag-mutability/ 

  Result 9

  [aws-vpc-no-public-egress-sg][�[0m�[1m�[31mCRITICAL�[39m�[0m�[39m�[0m] Resource 'aws_security_group.load_balancer_security_group' defines a fully open egress security group.
  /github/workspace/terraform/environments/performance-hub/main.tf:322-324


     319 |     protocol  = "-1"
     320 |     from_port = 0
     321 |     to_port   = 0
     322 |     cidr_blocks = [    list: ["0.0.0.0/0"]
     323 |       "0.0.0.0/0",
     324 |     ]
     325 |   }
     326 | 
     327 |   tags = merge(

  Legacy ID:  AWS009
  Impact:     The port is exposed for egressing data to the internet
  Resolution: Set a more restrictive cidr range

  More Info:
  - https://tfsec.dev/docs/aws/vpc/no-public-egress-sg#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 

  Result 10

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_bastion_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:433-440


     430 |   source_security_group_id = module.windows-ecs.cluster_ec2_security_group_id
     431 | }
     432 | 
     433 | resource "aws_security_group_rule" "db_bastion_ingress_rule" {
     434 |   type              = "ingress"
     435 |   from_port         = 1433
     436 |   to_port           = 1433
     437 |   protocol          = "tcp"
     438 |   security_group_id = aws_security_group.db.id
     439 |   cidr_blocks       = ["${module.bastion_linux.bastion_private_ip}/32"]
     440 | }
     441 | 
     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 11

  [aws-iam-no-policy-wildcards][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_iam_policy.db_mgmt_policy' defines a policy with wildcarded resources.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:92-117


      89 |   name        = "${local.application_name}-db_mgmt-ec2-policy"
      90 |   description = "${local.application_name} ec2-policy"
      91 | 
      92 |   policy = <<EOF    string: "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": \"s3:*\",\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"s3:GetEncryptionConfiguration\"\n        ],\n        \"Resource\": \"*\"\n      },\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"kms:Decrypt\"\n        ],\n        \"Resource\": \"arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049\"\n      }\n    ]\n}\n"
      93 | {
      94 |     "Version": "2012-10-17",
      95 |     "Statement": [
      96 |       {
      97 |         "Effect": "Allow",
      98 |         "Action": "s3:*",
      99 |         "Resource": "*"
     100 |       },
     101 |       {
     102 |         "Effect": "Allow",
     103 |         "Action": [
     104 |           "s3:GetEncryptionConfiguration"
     105 |         ],
     106 |         "Resource": "*"
     107 |       },
     108 |       {
     109 |         "Effect": "Allow",
     110 |         "Action": [
     111 |           "kms:Decrypt"
     112 |         ],
     113 |         "Resource": "arn:aws:kms:eu-west-2:322518575883:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
     114 |       }
     115 |     ]
     116 | }
     117 | EOF
     118 | }
     119 | 
     120 | # EC2 Security Group

  Legacy ID:  AWS099
  Impact:     Overly permissive policies may grant access to sensitive resources
  Resolution: Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Info:
  - https://tfsec.dev/docs/aws/iam/no-policy-wildcards#aws/iam 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document 
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 

  Result 12

  [aws-rds-backup-retention-specified][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_db_instance.database' has backup retention period set to a low value
  /github/workspace/terraform/environments/performance-hub/main.tf:354


     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
     354 |   backup_retention_period             = 0    number: 0.000000
     355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
     356 |   backup_window                       = "03:00-06:00"
     357 |   final_snapshot_identifier           = "final-snapshot"

  Legacy ID:  AWS091
  Impact:     Potential loss of data and short opportunity for recovery
  Resolution: Explicitly set the retention period to greater than the default

  More Info:
  - https://tfsec.dev/docs/aws/rds/backup-retention-specified#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention 

  Result 13

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.upload_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 14

  [aws-ecr-enable-image-scans][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_ecr_repository.ecr_repo' defines a disabled ECR image scan.
  /github/workspace/terraform/environments/performance-hub/main.tf:6


       3 |   image_tag_mutability = "MUTABLE"
       4 | 
       5 |   image_scanning_configuration {
       6 |     scan_on_push = false    bool: false
       7 |   }
       8 | 
       9 |   lifecycle {

  Legacy ID:  AWS023
  Impact:     The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution: Enable ECR image scanning

  More Info:
  - https://tfsec.dev/docs/aws/ecr/enable-image-scans#aws/ecr 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration 
  - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html 

  Result 15

  [aws-elbv2-alb-not-public][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_lb.external' is exposed publicly.
  /github/workspace/terraform/environments/performance-hub/main.tf:229-242


     226 | # Load Balancer
     227 | #------------------------------------------------------------------------------
     228 | 
     229 | resource "aws_lb" "external" {
     230 |   name               = "${local.application_name}-loadbalancer"
     231 |   load_balancer_type = "application"
     232 |   subnets            = data.aws_subnet_ids.shared-public.ids
     233 | 
     234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
     235 | 
     236 |   tags = merge(
     237 |     local.tags,
     238 |     {
     239 |       Name = "${local.application_name}-external-loadbalancer"
     240 |     }
     241 |   )
     242 | }
     243 | 
     244 | resource "aws_lb_target_group" "target_group" {
     245 |   name                 = "${local.application_name}-tg-${local.environment}"

  Legacy ID:  AWS005
  Impact:     The load balancer is exposed on the internet
  Resolution: Switch to an internal load balancer or add a tfsec ignore

  More Info:
  - https://tfsec.dev/docs/aws/elbv2/alb-not-public#aws/elbv2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb 

  Result 16

  [aws-rds-encrypt-instance-storage-data][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_db_instance.database' has storage encrypted set to false
  /github/workspace/terraform/environments/performance-hub/main.tf:350


     347 |   multi_az                            = false
     348 |   username                            = local.app_data.accounts[local.environment].db_user
     349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
     350 |   storage_encrypted                   = false    bool: false
     351 |   iam_database_authentication_enabled = false
     352 |   vpc_security_group_ids              = [aws_security_group.db.id]
     353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier

  Legacy ID:  AWS052
  Impact:     Data can be read from RDS instances if compromised
  Resolution: Enable encryption for RDS instances

  More Info:
  - https://tfsec.dev/docs/aws/rds/encrypt-instance-storage-data#aws/rds 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance 
  - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html 

  Result 17

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.upload_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:545-590


     542 | #------------------------------------------------------------------------------
     543 | # S3 Bucket for Uploads
     544 | #------------------------------------------------------------------------------
     545 | resource "aws_s3_bucket" "upload_files" {
     546 |   bucket = "${local.application_name}-uploads-${local.environment}"
     547 |   acl    = "private"
     548 | 
     549 |   lifecycle {
     550 |     prevent_destroy = true
     551 |   }
     552 | 
     553 |   dynamic "lifecycle_rule" {
     554 |     for_each = true ? [true] : []
     555 | 
     556 |     content {
     557 |       enabled = true
     558 | 
     559 |       noncurrent_version_transition {
     560 |         days          = 30
     561 |         storage_class = "STANDARD_IA"
     562 |       }
     563 | 
     564 |       transition {
     565 |         days          = 60
     566 |         storage_class = "STANDARD_IA"
     567 |       }
     568 |     }
     569 |   }
     570 | 
     571 |   server_side_encryption_configuration {
     572 |     rule {
     573 |       apply_server_side_encryption_by_default {
     574 |         sse_algorithm     = "aws:kms"
     575 |         kms_master_key_id = aws_kms_key.s3.arn
     576 |       }
     577 |     }
     578 |   }
     579 | 
     580 |   versioning {
     581 |     enabled = true
     582 |   }
     583 | 
     584 |   tags = merge(
     585 |     local.tags,
     586 |     {
     587 |       Name = "${local.application_name}-uploads"
     588 |     }
     589 |   )
     590 | }
     591 | 
     592 | resource "aws_s3_bucket_policy" "upload_files_policy" {
     593 |   bucket = aws_s3_bucket.upload_files.id

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 18

  [aws-s3-enable-bucket-logging][�[0m�[33mMEDIUM�[39m�[0m] Resource 'aws_s3_bucket.database_backup_files' does not have logging enabled.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS002
  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://tfsec.dev/docs/aws/s3/enable-bucket-logging#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 19

  [aws-s3-specify-public-access-block][�[0m�[33mMEDIUM�[39m�[0m] Resource aws_s3_bucket.database_backup_files has no associated aws_s3_bucket_public_access_block.
  /github/workspace/terraform/environments/performance-hub/main.tf:445-490


     442 | #------------------------------------------------------------------------------
     443 | # S3 Bucket for Database backup files
     444 | #------------------------------------------------------------------------------
     445 | resource "aws_s3_bucket" "database_backup_files" {
     446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
     447 |   acl    = "private"
     448 | 
     449 |   lifecycle {
     450 |     prevent_destroy = true
     451 |   }
     452 | 
     453 |   dynamic "lifecycle_rule" {
     454 |     for_each = true ? [true] : []
     455 | 
     456 |     content {
     457 |       enabled = true
     458 | 
     459 |       noncurrent_version_transition {
     460 |         days          = 30
     461 |         storage_class = "STANDARD_IA"
     462 |       }
     463 | 
     464 |       transition {
     465 |         days          = 60
     466 |         storage_class = "STANDARD_IA"
     467 |       }
     468 |     }
     469 |   }
     470 | 
     471 |   server_side_encryption_configuration {
     472 |     rule {
     473 |       apply_server_side_encryption_by_default {
     474 |         sse_algorithm     = "aws:kms"
     475 |         kms_master_key_id = aws_kms_key.s3.arn
     476 |       }
     477 |     }
     478 |   }
     479 | 
     480 |   versioning {
     481 |     enabled = true
     482 |   }
     483 | 
     484 |   tags = merge(
     485 |     local.tags,
     486 |     {
     487 |       Name = "${local.application_name}-db-backups-s3"
     488 |     }
     489 |   )
     490 | }
     491 | 
     492 | #S3 bucket access policy
     493 | resource "aws_iam_policy" "s3_database_backups_policy" {

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://tfsec.dev/docs/aws/s3/specify-public-access-block#aws/s3 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 20

  [aws-vpc-add-decription-to-security-group][�[0m�[97mLOW�[39m�[0m] Resource 'aws_security_group_rule.db_mgmt_ingress_rule' should include a description for auditing purposes.
  /github/workspace/terraform/environments/performance-hub/main.tf:415-422


     412 |   )
     413 | }
     414 | 
     415 | resource "aws_security_group_rule" "db_mgmt_ingress_rule" {
     416 |   type                     = "ingress"
     417 |   from_port                = 1433
     418 |   to_port                  = 1433
     419 |   protocol                 = "tcp"
     420 |   security_group_id        = aws_security_group.db.id
     421 |   source_security_group_id = aws_security_group.db_mgmt_server_security_group.id
     422 | }
     423 | 
     424 | resource "aws_security_group_rule" "db_ecs_ingress_rule" {
     425 |   type                     = "ingress"

  Legacy ID:  AWS018
  Impact:     Descriptions provide context for the firewall rule reasons
  Resolution: Add descriptions for all security groups and rules

  More Info:
  - https://tfsec.dev/docs/aws/vpc/add-decription-to-security-group#aws/vpc 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule 
  - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html 

  Result 21

  [aws-ec2-enforce-http-token-imds][�[0m�[31mHIGH�[39m�[0m] Resource 'aws_instance.db_mgmt_server' is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.
  /github/workspace/terraform/environments/performance-hub/db_manager.tf:1-39


       1 | resource "aws_instance" "db_mgmt_server" {
       2 |   ami                         = "ami-09b00616b12b077f8"
       3 |   associate_public_ip_address = false
       4 |   availability_zone           = "eu-west-2a"
       5 |   ebs_optimized               = true
       6 |   iam_instance_profile        = aws_iam_instance_profile.db_mgmt_profile.name
       7 |   instance_type               = "t3.large"
       8 |   key_name                    = local.app_data.accounts[local.environment].key_name
       9 |   monitoring                  = true
      10 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
      11 |   user_data                   = data.template_cloudinit_config.cloudinit-db-mgmt.rendered
      12 |   vpc_security_group_ids      = [aws_security_group.db_mgmt_server_security_group.id, ]
      13 | 
      14 |   root_block_device {
      15 |     delete_on_termination = true
      16 |     encrypted             = true
      17 |     kms_key_id            = aws_kms_key.ebs.id
      18 |     volume_size           = 150
      19 |     volume_type           = "gp3"
      20 |   }
      21 | 
      22 |   lifecycle {
      23 |     ignore_changes = [
      24 |       # This prevents clobbering the tags of attached EBS volumes. See
      25 |       # [this bug][1] in the AWS provider upstream.
      26 |       #
      27 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
      28 |       volume_tags,
      29 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
      30 |       root_block_device, # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
      31 |     ]
      32 |   }
      33 |   tags = merge(
      34 |     local.tags,
      35 |     {
      36 |       Name = "${local.application_name}-db-mgmt-server"
      37 |     }
      38 |   )
      39 | }
      40 | 
      41 | data "template_file" "db_mgmt_server_script" {
      42 |   template = file("./templates/db_mgmt_server.txt")

  Legacy ID:  AWS079
  Impact:     Instance metadata service can be interacted with freely
  Resolution: Enable HTTP token requirement for IMDS

  More Info:
  - https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2 
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options 
  - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service 

  times
  ------------------------------------------
  disk i/o             9.58857ms
  parsing HCL          91.201µs
  evaluating values    21.019273ms
  running checks       14.641759ms

  counts
  ------------------------------------------
  files loaded         10
  blocks               91
  modules              0

  results
  ------------------------------------------
  critical             5
  high                 7
  medium               5
  low                  4
  ignored              0

  21 potential problems detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/performance-hub

*****************************

Running Checkov in terraform/environments/performance-hub

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.361 

terraform scan results:

Passed checks: 89, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_mgmt_server
	File: /db_manager.tf:1-39
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_31

		1  | resource "aws_instance" "db_mgmt_server" {
		2  |   ami                         = "ami-09b00616b12b077f8"
		3  |   associate_public_ip_address = false
		4  |   availability_zone           = "eu-west-2a"
		5  |   ebs_optimized               = true
		6  |   iam_instance_profile        = aws_iam_instance_profile.db_mgmt_profile.name
		7  |   instance_type               = "t3.large"
		8  |   key_name                    = local.app_data.accounts[local.environment].key_name
		9  |   monitoring                  = true
		10 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		11 |   user_data                   = data.template_cloudinit_config.cloudinit-db-mgmt.rendered
		12 |   vpc_security_group_ids      = [aws_security_group.db_mgmt_server_security_group.id, ]
		13 | 
		14 |   root_block_device {
		15 |     delete_on_termination = true
		16 |     encrypted             = true
		17 |     kms_key_id            = aws_kms_key.ebs.id
		18 |     volume_size           = 150
		19 |     volume_type           = "gp3"
		20 |   }
		21 | 
		22 |   lifecycle {
		23 |     ignore_changes = [
		24 |       # This prevents clobbering the tags of attached EBS volumes. See
		25 |       # [this bug][1] in the AWS provider upstream.
		26 |       #
		27 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		28 |       volume_tags,
		29 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		30 |       root_block_device, # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		31 |     ]
		32 |   }
		33 |   tags = merge(
		34 |     local.tags,
		35 |     {
		36 |       Name = "${local.application_name}-db-mgmt-server"
		37 |     }
		38 |   )
		39 | }


Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:172-193
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		172 | data "aws_iam_policy_document" "ebs-kms" {
		173 |   statement {
		174 |     effect    = "Allow"
		175 |     actions   = ["kms:*"]
		176 |     resources = ["*"]
		177 | 
		178 |     principals {
		179 |       type        = "Service"
		180 |       identifiers = ["ec2.amazonaws.com"]
		181 |     }
		182 |   }
		183 |   statement {
		184 |     effect    = "Allow"
		185 |     actions   = ["kms:*"]
		186 |     resources = ["*"]
		187 | 
		188 |     principals {
		189 |       type        = "AWS"
		190 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		191 |     }
		192 |   }
		193 | }


Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:172-193
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		172 | data "aws_iam_policy_document" "ebs-kms" {
		173 |   statement {
		174 |     effect    = "Allow"
		175 |     actions   = ["kms:*"]
		176 |     resources = ["*"]
		177 | 
		178 |     principals {
		179 |       type        = "Service"
		180 |       identifiers = ["ec2.amazonaws.com"]
		181 |     }
		182 |   }
		183 |   statement {
		184 |     effect    = "Allow"
		185 |     actions   = ["kms:*"]
		186 |     resources = ["*"]
		187 | 
		188 |     principals {
		189 |       type        = "AWS"
		190 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		191 |     }
		192 |   }
		193 | }


Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/general_8

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.ecr_repo
	File: /main.tf:1-12
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_24

		1  | resource "aws_ecr_repository" "ecr_repo" {
		2  |   name                 = local.application_name
		3  |   image_tag_mutability = "MUTABLE"
		4  | 
		5  |   image_scanning_configuration {
		6  |     scan_on_push = false
		7  |   }
		8  | 
		9  |   lifecycle {
		10 |     prevent_destroy = true
		11 |   }
		12 | }


Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/bc_aws_logging_22

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-drops-http-headers

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV_AWS_103: "Ensure that load balancer is using TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /main.tf:274-283
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		274 | resource "aws_lb_listener" "listener" {
		275 |   load_balancer_arn = aws_lb.external.id
		276 |   port              = local.app_data.accounts[local.environment].server_port
		277 |   protocol          = "HTTP"
		278 | 
		279 |   default_action {
		280 |     target_group_arn = aws_lb_target_group.target_group.id
		281 |     type             = "forward"
		282 |   }
		283 | }


Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /main.tf:274-283
	Guide: https://docs.bridgecrew.io/docs/networking_29

		274 | resource "aws_lb_listener" "listener" {
		275 |   load_balancer_arn = aws_lb.external.id
		276 |   port              = local.app_data.accounts[local.environment].server_port
		277 |   protocol          = "HTTP"
		278 | 
		279 |   default_action {
		280 |     target_group_arn = aws_lb_target_group.target_group.id
		281 |     type             = "forward"
		282 |   }
		283 | }


Check: CKV_AWS_103: "Ensure that load balancer is using TLS 1.2"
	FAILED for resource: aws_lb_listener.https_listener
	File: /main.tf:285-297
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		285 | resource "aws_lb_listener" "https_listener" {
		286 |   depends_on = [aws_acm_certificate_validation.external]
		287 | 
		288 |   load_balancer_arn = aws_lb.external.id
		289 |   port              = "443"
		290 |   protocol          = "HTTPS"
		291 |   certificate_arn   = aws_acm_certificate.external.arn
		292 | 
		293 |   default_action {
		294 |     target_group_arn = aws_lb_target_group.target_group.id
		295 |     type             = "forward"
		296 |   }
		297 | }


Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/general_4

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/general_73

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /main.tf:339-374
	Guide: https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		339 | resource "aws_db_instance" "database" {
		340 |   identifier                          = local.application_name
		341 |   allocated_storage                   = 100
		342 |   storage_type                        = "gp2"
		343 |   engine                              = "sqlserver-se"
		344 |   engine_version                      = "15.00.4073.23.v1"
		345 |   license_model                       = "license-included"
		346 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		347 |   multi_az                            = false
		348 |   username                            = local.app_data.accounts[local.environment].db_user
		349 |   password                            = data.aws_secretsmanager_secret_version.database_password.arn
		350 |   storage_encrypted                   = false
		351 |   iam_database_authentication_enabled = false
		352 |   vpc_security_group_ids              = [aws_security_group.db.id]
		353 |   snapshot_identifier                 = local.app_data.accounts[local.environment].db_snapshot_identifier
		354 |   backup_retention_period             = 0
		355 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		356 |   backup_window                       = "03:00-06:00"
		357 |   final_snapshot_identifier           = "final-snapshot"
		358 |   deletion_protection                 = false
		359 |   option_group_name                   = aws_db_option_group.db_option_group.name
		360 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		361 | 
		362 |   # timeouts {
		363 |   #   create = "40m"
		364 |   #   delete = "40m"
		365 |   #   update = "80m"
		366 |   # }
		367 | 
		368 |   tags = merge(
		369 |     local.tags,
		370 |     {
		371 |       Name = "${local.application_name}-database"
		372 |     }
		373 |   )
		374 | }


Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /main.tf:695-716
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		695 | data "aws_iam_policy_document" "s3-kms" {
		696 |   statement {
		697 |     effect    = "Allow"
		698 |     actions   = ["kms:*"]
		699 |     resources = ["*"]
		700 | 
		701 |     principals {
		702 |       type        = "Service"
		703 |       identifiers = ["s3.amazonaws.com"]
		704 |     }
		705 |   }
		706 |   statement {
		707 |     effect    = "Allow"
		708 |     actions   = ["kms:*"]
		709 |     resources = ["*"]
		710 | 
		711 |     principals {
		712 |       type        = "AWS"
		713 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		714 |     }
		715 |   }
		716 | }


Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /main.tf:695-716
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		695 | data "aws_iam_policy_document" "s3-kms" {
		696 |   statement {
		697 |     effect    = "Allow"
		698 |     actions   = ["kms:*"]
		699 |     resources = ["*"]
		700 | 
		701 |     principals {
		702 |       type        = "Service"
		703 |       identifiers = ["s3.amazonaws.com"]
		704 |     }
		705 |   }
		706 |   statement {
		707 |     effect    = "Allow"
		708 |     actions   = ["kms:*"]
		709 |     resources = ["*"]
		710 | 
		711 |     principals {
		712 |       type        = "AWS"
		713 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		714 |     }
		715 |   }
		716 | }


Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-redirects-http-requests-into-https-ones

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /main.tf:445-490
	Guide: https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		445 | resource "aws_s3_bucket" "database_backup_files" {
		446 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		447 |   acl    = "private"
		448 | 
		449 |   lifecycle {
		450 |     prevent_destroy = true
		451 |   }
		452 | 
		453 |   dynamic "lifecycle_rule" {
		454 |     for_each = true ? [true] : []
		455 | 
		456 |     content {
		457 |       enabled = true
		458 | 
		459 |       noncurrent_version_transition {
		460 |         days          = 30
		461 |         storage_class = "STANDARD_IA"
		462 |       }
		463 | 
		464 |       transition {
		465 |         days          = 60
		466 |         storage_class = "STANDARD_IA"
		467 |       }
		468 |     }
		469 |   }
		470 | 
		471 |   server_side_encryption_configuration {
		472 |     rule {
		473 |       apply_server_side_encryption_by_default {
		474 |         sse_algorithm     = "aws:kms"
		475 |         kms_master_key_id = aws_kms_key.s3.arn
		476 |       }
		477 |     }
		478 |   }
		479 | 
		480 |   versioning {
		481 |     enabled = true
		482 |   }
		483 | 
		484 |   tags = merge(
		485 |     local.tags,
		486 |     {
		487 |       Name = "${local.application_name}-db-backups-s3"
		488 |     }
		489 |   )
		490 | }


Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /main.tf:545-590
	Guide: https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		545 | resource "aws_s3_bucket" "upload_files" {
		546 |   bucket = "${local.application_name}-uploads-${local.environment}"
		547 |   acl    = "private"
		548 | 
		549 |   lifecycle {
		550 |     prevent_destroy = true
		551 |   }
		552 | 
		553 |   dynamic "lifecycle_rule" {
		554 |     for_each = true ? [true] : []
		555 | 
		556 |     content {
		557 |       enabled = true
		558 | 
		559 |       noncurrent_version_transition {
		560 |         days          = 30
		561 |         storage_class = "STANDARD_IA"
		562 |       }
		563 | 
		564 |       transition {
		565 |         days          = 60
		566 |         storage_class = "STANDARD_IA"
		567 |       }
		568 |     }
		569 |   }
		570 | 
		571 |   server_side_encryption_configuration {
		572 |     rule {
		573 |       apply_server_side_encryption_by_default {
		574 |         sse_algorithm     = "aws:kms"
		575 |         kms_master_key_id = aws_kms_key.s3.arn
		576 |       }
		577 |     }
		578 |   }
		579 | 
		580 |   versioning {
		581 |     enabled = true
		582 |   }
		583 | 
		584 |   tags = merge(
		585 |     local.tags,
		586 |     {
		587 |       Name = "${local.application_name}-uploads"
		588 |     }
		589 |   )
		590 | }


Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.external
	File: /main.tf:229-242
	Guide: https://docs.bridgecrew.io/docs/ensure-public-facing-alb-are-protected-by-waf

		229 | resource "aws_lb" "external" {
		230 |   name               = "${local.application_name}-loadbalancer"
		231 |   load_balancer_type = "application"
		232 |   subnets            = data.aws_subnet_ids.shared-public.ids
		233 | 
		234 |   security_groups = [aws_security_group.load_balancer_security_group.id]
		235 | 
		236 |   tags = merge(
		237 |     local.tags,
		238 |     {
		239 |       Name = "${local.application_name}-external-loadbalancer"
		240 |     }
		241 |   )
		242 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

tflint will check the following folders:
terraform/environments/performance-hub

*****************************

Running tflint in terraform/environments/performance-hub
Excluding the following checks: terraform_module_pinned_source
WARNING: The plugin `aws` is not explicitly enabled. The bundled plugin will be enabled instead, but it is deprecated and will be removed in a future version. Please see https://github.com/terraform-linters/tflint/pull/1160 for details.
tflint_exitcode=0

@github-actions github-actions bot mentioned this pull request Jan 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zuriguardiola zuriguardiola zuriguardiola approved these changes

Assignees

@jemnery jemnery

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jemnery @zuriguardiola