Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Glue Job added - 2211 - 1 #8752

Merged
merged 11 commits into from
Nov 27, 2024
Merged

Glue Job added - 2211 - 1 #8752

merged 11 commits into from
Nov 27, 2024

Conversation

madhu-k-sr2
Copy link
Contributor

No description provided.

@madhu-k-sr2 madhu-k-sr2 requested review from a team as code owners November 22, 2024 11:45
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 22, 2024
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 22, 2024 11:47 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 22, 2024 11:48 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 22, 2024 12:27 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 22, 2024 15:08 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 25, 2024 09:24 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 25, 2024 19:06 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 25, 2024 19:06 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 25, 2024 19:22 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 25, 2024 19:22 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 26, 2024 12:02 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 26, 2024 12:03 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 26, 2024 13:34 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/nomis-combined-reporting

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-26T13:34:20Z INFO [vulndb] Need to update DB
2024-11-26T13:34:20Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T13:34:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:34:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:34:22Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T13:34:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T13:34:22Z INFO [misconfig] Need to update the built-in checks
2024-11-26T13:34:22Z INFO [misconfig] Downloading the built-in checks...
2024-11-26T13:34:23Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 1.056283ms, allowed: 44000/minute\n\n"
2024-11-26T13:34:23Z INFO [secret] Secret scanning is enabled
2024-11-26T13:34:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:34:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:34:24Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-11-26T13:34:24Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T13:34:24Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-26T13:34:35Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-26T13:34:35Z INFO Number of language-specific files num=1
2024-11-26T13:34:35Z INFO [pip] Detecting vulnerabilities...
2024-11-26T13:34:35Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/nomis-combined-reporting
2024-11-26T13:34:35Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T13:34:35Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T13:34:35Z INFO [misconfig] Need to update the built-in checks
2024-11-26T13:34:35Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-26T13:34:36Z INFO [secret] Secret scanning is enabled
2024-11-26T13:34:36Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:34:36Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:34:37Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T13:34:37Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.efs" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-26T13:34:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-26T13:34:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:38Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:38Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.schedule_alarms_lambda[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-11-26T13:34:41Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-26T13:34:41Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-26T13:34:41Z INFO Number of language-specific files num=0
2024-11-26T13:34:41Z INFO Detected config files num=4
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/nomis-combined-reporting

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 13:34:44,200 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-11-26 13:34:44,200 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-11-26 13:34:44,200 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:None (for external modules, the --download-external-modules flag is required)
2024-11-26 13:34:44,200 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-11-26 13:34:44,200 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-11-26 13:34:44,201 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2960, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/nomis-combined-reporting
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 166, Failed checks: 8, Skipped checks: 18

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/nomis-combined-reporting

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: module "cmt_front_end_assumable_role" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/cloud_platform_share.tf line 1:
   1: module "cmt_front_end_assumable_role" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 151:
 151: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/nomis-combined-reporting
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/nomis-combined-reporting

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-26T13:34:20Z	INFO	[vulndb] Need to update DB
2024-11-26T13:34:20Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T13:34:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:34:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T13:34:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T13:34:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T13:34:22Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T13:34:22Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-26T13:34:23Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 1.056283ms, allowed: 44000/minute\n\n"
2024-11-26T13:34:23Z	INFO	[secret] Secret scanning is enabled
2024-11-26T13:34:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:34:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:34:24Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-11-26T13:34:24Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T13:34:24Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:27Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:28Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-26T13:34:35Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-26T13:34:35Z	INFO	Number of language-specific files	num=1
2024-11-26T13:34:35Z	INFO	[pip] Detecting vulnerabilities...
2024-11-26T13:34:35Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/nomis-combined-reporting
2024-11-26T13:34:35Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T13:34:35Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T13:34:35Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T13:34:35Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-26T13:34:36Z	INFO	[secret] Secret scanning is enabled
2024-11-26T13:34:36Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T13:34:36Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T13:34:37Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T13:34:37Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.efs" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-26T13:34:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-26T13:34:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:38Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:38Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-11-26T13:34:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.schedule_alarms_lambda[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-11-26T13:34:41Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-26T13:34:41Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-26T13:34:41Z	INFO	Number of language-specific files	num=0
2024-11-26T13:34:41Z	INFO	Detected config files	num=4
trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-test November 26, 2024 14:35 — with GitHub Actions Error
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development November 26, 2024 14:35 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-26T14:35:14Z INFO [vulndb] Need to update DB
2024-11-26T14:35:14Z INFO [vulndb] Downloading vulnerability DB...
2024-11-26T14:35:14Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T14:35:16Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T14:35:16Z INFO [vuln] Vulnerability scanning is enabled
2024-11-26T14:35:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-26T14:35:16Z INFO [misconfig] Need to update the built-in checks
2024-11-26T14:35:16Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-26T14:35:16Z INFO [secret] Secret scanning is enabled
2024-11-26T14:35:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T14:35:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T14:35:17Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-26T14:35:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-26T14:35:27Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-11-26T14:35:27Z INFO Number of language-specific files num=1
2024-11-26T14:35:27Z INFO [pip] Detecting vulnerabilities...
2024-11-26T14:35:27Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-26 14:35:29,586 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-11-26 14:35:29,586 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-11-26 14:35:29,586 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:None (for external modules, the --download-external-modules flag is required)
2024-11-26 14:35:29,586 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-11-26 14:35:29,587 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-11-26 14:35:29,587 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2960, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: module "cmt_front_end_assumable_role" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/cloud_platform_share.tf line 1:
   1: module "cmt_front_end_assumable_role" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 115:
 115: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-26T14:35:14Z	INFO	[vulndb] Need to update DB
2024-11-26T14:35:14Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-26T14:35:14Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T14:35:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-26T14:35:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-26T14:35:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-26T14:35:16Z	INFO	[misconfig] Need to update the built-in checks
2024-11-26T14:35:16Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-26T14:35:16Z	INFO	[secret] Secret scanning is enabled
2024-11-26T14:35:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-26T14:35:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-26T14:35:17Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-26T14:35:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:20Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-26T14:35:26Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-26T14:35:27Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-11-26T14:35:27Z	INFO	Number of language-specific files	num=1
2024-11-26T14:35:27Z	INFO	[pip] Detecting vulnerabilities...
2024-11-26T14:35:27Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 merged commit fc4bdf6 into main Nov 27, 2024
14 of 16 checks passed
@madhu-k-sr2 madhu-k-sr2 deleted the ELM-3031_generate_partitioned_rowhash_values branch November 27, 2024 11:40
matt-k1998 added a commit that referenced this pull request Nov 27, 2024
@matt-k1998
Squashed commit of the following:
71e3870 
commit 76aa336
Author: Mateusz Kolakowski <mateusz.kolakowski@justice.gov.uk>
Date:   Wed Nov 27 12:14:22 2024 +0000

    Tribunals: Update some more route53 records to point at the old nginx LB (#8829)

commit bf7ddd2
Author: Mateusz Kolakowski <mateusz.kolakowski@justice.gov.uk>
Date:   Wed Nov 27 12:03:03 2024 +0000

    Tribunals: fix syntax error in route53 record (#8826)

commit 9ad043b
Author: Mateusz Kolakowski <mateusz.kolakowski@justice.gov.uk>
Date:   Wed Nov 27 11:56:24 2024 +0000

    Tribunals: point back some route53 records at the old ngninx LB (#8825)

commit 66991bf
Author: tom-ogle-moj <142220790+tom-ogle-moj@users.noreply.github.com>
Date:   Wed Nov 27 11:52:49 2024 +0000

    DPR2-1435: Make postgres_settings configuration block conditional on the engine type being postgres. (#8822)

    This avoids the terraform plan being polluted with changes to postgres settings for oracle sources that need reapplying on every terraform run.

commit fc4bdf6
Merge: 01b4ac1 07927cc
Author: madhu-k-sr2 <123549389+madhu-k-sr2@users.noreply.github.com>
Date:   Wed Nov 27 11:40:40 2024 +0000

    Merge pull request #8752 from ministryofjustice/ELM-3031_generate_partitioned_rowhash_values

    Glue Job added - 2211 - 1

commit 01b4ac1
Merge: 86efa22 6e373c2
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Wed Nov 27 09:33:27 2024 +0000

    Merge pull request #8819 from ministryofjustice/Update_271124_3

    Update_271124_3

commit 86efa22
Author: tom-ogle-moj <142220790+tom-ogle-moj@users.noreply.github.com>
Date:   Wed Nov 27 09:13:29 2024 +0000

    DPR2-1435: Default Postgres DMS source heartbeat frequency to 5 minutes. (#8799)

    * DPR2-1435: Default Postgres DMS source heartbeat frequency to 5 minutes.
    This is because terraform seems to default it to 0 instead of 5, which should be the default.

    * DPR2-1435: Remove unused fake data ingestor which sends data to kinesis

    * DPR2-1435: checkov skip

    * DPR2-1435: tflint changes

commit 6e373c2
Author: Buckingham <XC01857@lumen.com>
Date:   Wed Nov 27 09:05:01 2024 +0000

    Update_271124_3

commit 6ed6ade
Merge: 6fd8bb9 52128a3
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Wed Nov 27 08:56:39 2024 +0000

    Merge pull request #8818 from ministryofjustice/Update_271124_2

    Update 271124 2

commit 52128a3
Author: Buckingham <XC01857@lumen.com>
Date:   Wed Nov 27 08:49:41 2024 +0000

    Update_271124_2

commit bf844b2
Author: Buckingham <XC01857@lumen.com>
Date:   Wed Nov 27 08:46:17 2024 +0000

    Update_271124_1

commit 6fd8bb9
Merge: 95b5f7d 5a2dcb0
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 15:08:32 2024 +0000

    Merge pull request #8815 from ministryofjustice/Update_261124_8

    Update_261124_8

commit 5a2dcb0
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 15:03:34 2024 +0000

    Update_261124_8

commit 07927cc
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Tue Nov 26 14:32:51 2024 +0000

    new GlueJob modified - 2611 - 3

commit 95b5f7d
Merge: dde030c 8dc073e
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 13:56:42 2024 +0000

    Merge pull request #8811 from ministryofjustice/Update_261124_7

    Update_261124_7

commit 8dc073e
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:50:58 2024 +0000

    Update_261124_7

commit dde030c
Merge: 10c76a2 9eba396
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 13:40:35 2024 +0000

    Merge pull request #8809 from ministryofjustice/Update_261124_6

    Update_261124_6

commit 9eba396
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:36:20 2024 +0000

    Update_261124_6

commit 10c76a2
Merge: 32a8024 8bc374a
Author: Jacob Woffenden <jacob@woffenden.io>
Date:   Tue Nov 26 13:35:21 2024 +0000

    Merge pull request #8803 from ministryofjustice/fix/op-amp-region

    🔀 Fix a hardcoded region in APS string

commit 32a8024
Author: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date:   Tue Nov 26 13:32:42 2024 +0000

    TM-739: ncr: Add T1 BI secrets (#8806)

commit 2790748
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Tue Nov 26 13:31:52 2024 +0000

    new GlueJob modified - 2611 - 2

commit 37865a8
Merge: 6d3de1d 690f3af
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Tue Nov 26 13:30:08 2024 +0000

    Merge branch 'main' of https://github.com/ministryofjustice/modernisation-platform-environments into ELM-3031_generate_partitioned_rowhash_values

commit 690f3af
Merge: 458da09 fdf8ea7
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 13:28:31 2024 +0000

    Merge pull request #8808 from ministryofjustice/Update_261124_5

    Update 261124 5

commit fdf8ea7
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:23:34 2024 +0000

    Update_261124_5

commit 8a86f3b
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:22:06 2024 +0000

    Update_261124_4

commit 261ace7
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:17:44 2024 +0000

    Update_261124_3

commit 458da09
Merge: 34c32fa 7b597f2
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 13:10:19 2024 +0000

    Merge pull request #8804 from ministryofjustice/Update_261124_2

    Update_261124_2

commit 7b597f2
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 13:04:32 2024 +0000

    Update_261124_2

commit 8bc374a
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Tue Nov 26 12:59:58 2024 +0000

    need to review this code, i dont to explicity set these

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 34c32fa
Merge: 572828a 7f2e482
Author: Nick Buckingham <135870440+nbuckingham72@users.noreply.github.com>
Date:   Tue Nov 26 12:58:39 2024 +0000

    Merge pull request #8802 from ministryofjustice/Update_261124_1

    Update_261124_1

commit 9d057ed
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Tue Nov 26 12:53:47 2024 +0000

    I missed this hardcoded region

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 7f2e482
Author: Buckingham <XC01857@lumen.com>
Date:   Tue Nov 26 12:53:26 2024 +0000

    Update_261124_1

commit 572828a
Merge: fc9c9aa 8af74ac
Author: Jacob Woffenden <jacob@woffenden.io>
Date:   Tue Nov 26 12:33:27 2024 +0000

    Merge pull request #8798 from ministryofjustice/chore/amp-region

    🌐 Allow tenants to set AMP region

commit 6d3de1d
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Tue Nov 26 12:00:45 2024 +0000

    new GlueJob modified - 2611 - 1

commit 9d988e4
Merge: 52a8b6d fc9c9aa
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Tue Nov 26 11:54:03 2024 +0000

    Merge branch 'main' of https://github.com/ministryofjustice/modernisation-platform-environments into ELM-3031_generate_partitioned_rowhash_values

commit fc9c9aa
Author: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date:   Tue Nov 26 10:40:25 2024 +0000

    TM-720: fix schedule alarms (#8800)

    * TM-720: fix for schedule-alarms

    * add output

    * fix

commit 8af74ac
Merge: f686e3d b1793de
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Tue Nov 26 10:01:31 2024 +0000

    Merge branch 'main' into chore/amp-region

commit f686e3d
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Tue Nov 26 09:53:18 2024 +0000

    Testing optional AMP region

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit b1793de
Merge: 48392a9 63f7be3
Author: Aaron Robinson <41325732+ASTRobinson@users.noreply.github.com>
Date:   Tue Nov 26 09:49:19 2024 +0000

    Merge pull request #8794 from ministryofjustice/dependabot/github_actions/bridgecrewio/checkov-action-12.2920.0

    Bump bridgecrewio/checkov-action from 12.2918.0 to 12.2920.0

commit 48392a9
Author: Matthew Price <matthew.price2@justice.gov.uk>
Date:   Tue Nov 26 09:36:48 2024 +0000

    Temporarily remove mdss prod account details while testing (#8796)

commit 9971663
Merge: d01b22d d655ce3
Author: Jacob Woffenden <jacob@woffenden.io>
Date:   Tue Nov 26 09:20:25 2024 +0000

    Merge pull request #8795 from ministryofjustice/feat/op-ap-de-onboarding

    🔭 Onboard Analytical Platform and Data Engineering accounts

commit d655ce3
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Tue Nov 26 09:05:51 2024 +0000

    Onboard AP and DE accounts

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit d01b22d
Merge: a7716a8 0d1851e
Author: Jacob Woffenden <jacob@woffenden.io>
Date:   Tue Nov 26 08:48:33 2024 +0000

    Merge pull request #8793 from ministryofjustice/chore/op-migrate

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit a7716a8
Merge: 4679202 50edcd2
Author: Khatraf <152973377+Khatraf@users.noreply.github.com>
Date:   Tue Nov 26 08:47:06 2024 +0000

    Merge pull request #8783 from ministryofjustice/feature/enable-guardduty-s3-malware-protection

    Add GuardDuty S3 malware protection for specified S3 buckets

commit 63f7be3
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Tue Nov 26 00:05:31 2024 +0000

    Bump bridgecrewio/checkov-action from 12.2918.0 to 12.2920.0

    Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2918.0 to 12.2920.0.
    - [Release notes](https://github.com/bridgecrewio/checkov-action/releases)
    - [Commits](bridgecrewio/checkov-action@05decb4...5ae57a8)

    ---
    updated-dependencies:
    - dependency-name: bridgecrewio/checkov-action
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 0d1851e
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Mon Nov 25 21:14:52 2024 +0000

    Fix SCA in ingestion

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit b1dbfc6
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Mon Nov 25 21:05:27 2024 +0000

    Update analytical-platform-ingestion

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 69c7ae3
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Mon Nov 25 21:04:30 2024 +0000

    Remove APC observability_platform local

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 3813430
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Mon Nov 25 21:04:04 2024 +0000

    Update analytical-platform-compute

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 52a8b6d
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Mon Nov 25 19:04:16 2024 +0000

    new GlueJob Added - 2511 - 1

commit 4679202
Author: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date:   Mon Nov 25 17:18:59 2024 +0000

    TM-720: endpoint monitoring improvements (#8792)

    * simplify code

    * use aws urls where possible

commit 315bef3
Merge: 21130b0 43261b0
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Mon Nov 25 16:52:19 2024 +0000

    Merge branch 'main' of https://github.com/ministryofjustice/modernisation-platform-environments into ELM-3031_generate_partitioned_rowhash_values

commit 43261b0
Merge: 038d8a1 fe8d815
Author: Jacob Woffenden <jacob@woffenden.io>
Date:   Mon Nov 25 16:35:00 2024 +0000

    Merge pull request #8789 from ministryofjustice/chore/op-migrate-tenant-config

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit 50edcd2
Author: khatraf <khatra.farah@digital.justice.gov.uk>
Date:   Mon Nov 25 14:40:26 2024 +0000

    trigger pipeline

commit 038d8a1
Author: Matthew Price <matthew.price2@justice.gov.uk>
Date:   Mon Nov 25 15:50:05 2024 +0000

    Add kms key generation for use with landing bucket (#8755)

    * Add kms key generation for use with landing bucket

    * Change kms permission to use lambda role not lambda

    * Add cross account encyption grant

    * Add lambda decrypt

    * alternate lambda policy

    * Final tidy

    * Remove context as lamdba would need to use context also.

commit 251e298
Merge: 89fb79a f714700
Author: Rich Green <149596574+richgreen-moj@users.noreply.github.com>
Date:   Mon Nov 25 15:00:37 2024 +0000

    Merge pull request #8787 from ministryofjustice/panda-cyber-defect-dojo

    Updated associate_public_ip_address to true

commit fe8d815
Author: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
Date:   Mon Nov 25 14:53:45 2024 +0000

    Migrate tenants

    Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>

commit f714700
Merge: 7513bca 89fb79a
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Mon Nov 25 14:48:37 2024 +0000

    Merge branch 'main' into panda-cyber-defect-dojo

commit 89fb79a
Author: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date:   Mon Nov 25 14:47:52 2024 +0000

    TM-720: enable scheduled ssm command monitoring (#8785)

    * align main.tf across accounts

    * enable ssm monitoring and widgets

    * fix

    * fix

    * remove alarm

commit 7513bca
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Mon Nov 25 14:44:51 2024 +0000

    Updated associate_public_ip_address to true

commit 01df13f
Merge: d6b534d 4a68669
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Mon Nov 25 14:42:26 2024 +0000

    Merge branch 'main' into panda-cyber-defect-dojo

commit d6b534d
Merge: 08f7720 cc41b2b
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Mon Nov 25 14:36:31 2024 +0000

    Merge branch 'main' into panda-cyber-defect-dojo

commit 4a68669
Merge: cc41b2b e49c960
Author: bill-buchan <55987520+bill-buchan@users.noreply.github.com>
Date:   Mon Nov 25 14:12:11 2024 +0000

    Merge pull request #8721 from ministryofjustice/DBA-740

    Add a transformation to remove the STAFF_ID column from USER_ data

commit 08f7720
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Mon Nov 25 13:59:56 2024 +0000

    Change assocaited_public_ip_address to true

commit ad08114
Author: khatraf <khatra.farah@digital.justice.gov.uk>
Date:   Mon Nov 25 13:20:50 2024 +0000

    Add GuardDuty S3 malware protection for specified S3 buckets

commit cc41b2b
Author: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date:   Mon Nov 25 12:38:18 2024 +0000

    Remote deleted roles from secrets manager sharing (#8782)

commit e49c960
Merge: c36f540 e0ae86f
Author: George Taylor <george.taylor@digital.justice.gov.uk>
Date:   Mon Nov 25 11:10:53 2024 +0000

    Merge branch 'DBA-740' of https://github.com/ministryofjustice/modernisation-platform-environments into DBA-740

commit e0ae86f
Merge: 3bdf59e 55fb451
Author: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date:   Mon Nov 25 09:02:24 2024 +0000

    Merge branch 'main' into DBA-740

commit 3bdf59e
Merge: aec7b9b b8119fc
Author: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date:   Fri Nov 22 17:01:55 2024 +0000

    Merge branch 'main' into DBA-740

commit aec7b9b
Author: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date:   Wed Nov 20 09:45:52 2024 +0000

    Add a transformation to remove the USER_ID column from USER_ data

commit 21130b0
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Fri Nov 22 15:04:38 2024 +0000

    Glue Job added - 2211 - 3

commit cdfc6e3
Merge: 3f432de e354690
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Fri Nov 22 15:03:25 2024 +0000

    Merge branch 'main' of https://github.com/ministryofjustice/modernisation-platform-environments into ELM-3031_generate_partitioned_rowhash_values

commit 3f432de
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Fri Nov 22 12:23:15 2024 +0000

    Glue Job added - 2211 - 2

commit a8249de
Author: Madhu Kadiri <madhu.kadiri2@justice.gov.uk>
Date:   Fri Nov 22 11:44:29 2024 +0000

    Glue Job added - 2211 - 1

commit c36f540
Merge: 3af4cef efaed94
Author: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date:   Wed Nov 20 09:58:05 2024 +0000

    Merge branch 'main' into DBA-740

commit 3af4cef
Author: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date:   Wed Nov 20 09:45:52 2024 +0000

    Add a transformation to remove the USER_ID column from USER_ data

commit baab6a0
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Fri Nov 8 16:07:54 2024 +0000

    Removed lifecycle code block

commit 42562bb
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Fri Nov 8 15:50:47 2024 +0000

    Set associate_public_ip_address to false and added lifecycle block

commit 0333241
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Fri Nov 8 15:00:54 2024 +0000

    Removed associate_public_ip_address

commit 65b7f24
Merge: 8817582 7aeab18
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Fri Nov 8 14:33:26 2024 +0000

    Rebased with main

commit 8817582
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Fri Nov 8 14:30:07 2024 +0000

    Removed installation of docker and cloning of defect dojo from user_data

commit ff85ff1
Author: jodiejones-moj <jodie.jones@digital.justice.gov.uk>
Date:   Thu Oct 31 11:44:24 2024 +0000

    Added EC2 instance to host Defect Dojo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pricemg pricemg pricemg approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@madhu-k-sr2 @pricemg